Laravel 8 Sanctum SPA Auth - Session store not set on request

Question

I'm trying to implement Sanctum SPA Authentication. I'm getting the following error when trying to login (only in production):

production.ERROR: Session store not set on request. {"userId":1,"exception":"[object] (RuntimeException(code: 0): Session store not set on request. at /app/vendor/laravel/framework/src/Illuminate/Http/Request.php:483)

Followed all the steps in the documentation. First calling sanctum/csrf-cookie GET request, then my API login POST request with the session cookie attached. Thank you for any tips!

My login method in AuthController.php, where the exceptioin is happening on line 28.

My Http\Kernel.php file with the middleweres for the API endpoints.

My API endpoint in routes/api.php

adding screenshot of text in questions is not good practice. Noone can copy/paste from it, search engines can't find anything in it. — Jean-François Fabre, Jan 18 '22 at 07:57

score 19 · Answer 1 · edited May 22 '22 at 12:59

19

Added StartSession to app/Http/Kernel.php:

protected $middleware = [
        ...
        \Illuminate\Session\Middleware\StartSession::class,
    ];

it worked for me.

edited May 22 '22 at 12:59

Nasser Ali Karimi

4,462
6
34
77

answered Aug 09 '21 at 14:13

Anton Cvetaev

339
2
10

1

It will more helpul if you paste de code instead paste an image – Fernando Torres Oct 07 '21 at 03:11
indeed adding screenshot of text in answers is not good practice. Noone can copy/paste from it, search engines can't find anything in it. – Jean-François Fabre Jan 18 '22 at 07:58
5

But why? Documentation doesn't say anything about it, why would I have to do it? – Robert Jul 07 '22 at 20:26
@Robert, I think it is because the `StartSession::class` is originally included only in the `protected $middlewareGroups` array, but not in the `protected $middleware` array where, in my case, the /login route belongs to. However, if I add the /login route to the `Route::middleware(['auth:sanctum'])->group`, another error will be shown because the /login route is not authenticated as yet. – jgarcias Apr 05 '23 at 06:58

score 4 · Answer 2 · answered Mar 27 '22 at 21:02

To future you, the correct way to fix the issue is:

Publish Sanctum configuration

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Inform your app/api middleware to utilize stateful sessions by adding EnsureFrontendRequestsAreStateful class on app/Http/Kernel.php under the correct route groups (api,web, e.t.c)

'api' => [
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
...

Following two steps are very crucial

Add frontend domains/IP addresses that are allowed to utilize the Sanctum SPA sessions. This can be done either by adding SANCTUM_STATEFUL_DOMAINS key in your .env file or modifying stateful key's value in the config/sanctum.php file.

For every request to the endpoints protected by sanctum middleware, it must include origin or referer header. Addittionally, include X-XSRF-TOKEN header if applicable.

I have all of this but weirdly rarery I still get the "session store not set" error. — Stalinko, Oct 13 '22 at 10:44

score 0 · Answer 3 · answered Feb 03 '22 at 19:17

0

In your .env file check that APP_URL={your app base url} is correct.

answered Feb 03 '22 at 19:17

Ahmed

186
1
2
10

score 0 · Answer 4 · answered Oct 01 '22 at 15:17

'api' => [
    \App\Http\Middleware\EncryptCookies::class,
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,

    \Illuminate\Session\Middleware\StartSession::class, // Add this line
],

StartSession.php is a session manager, that handle session from every API request.

Hussein Shaikh · Answer 5 · 2022-11-04T08:36:38.053

0

Added if (!$request->is('api/*') && $request->session()->all()) in app/Http/Middleware/Authenticate.php The request was crashing due to the authenticate middleware checking for session, hence this helped. P.S this fix for sanctum usage.

edited Nov 04 '22 at 08:36

answered Nov 04 '22 at 08:35

Hussein Shaikh

1
1

score -5 · Accepted Answer · answered Feb 09 '21 at 12:56

-5

The authentication routes must be in the routes/web.php file.

answered Feb 09 '21 at 12:56

froston

1,027
1
12
24

That is not correct, using web routes just means you are using the web middlewere, you are not getting the benifits of the APIs then. – shamaseen Jan 03 '22 at 14:54
https://laravel.com/docs/8.x/sanctum#how-it-works For this feature, Sanctum does not use tokens of any kind. Instead, Sanctum uses Laravel's built-in cookie based session authentication services. Typically, Sanctum utilizes Laravel's web authentication guard to accomplish this. – froston Oct 17 '22 at 19:34

Laravel 8 Sanctum SPA Auth - Session store not set on request

6 Answers6