How to expire a session in Laravel SPA "laravel_session" cookie?"

Question

I currently have a application with Laravel + Sanctum + Vue SPA + Apollo GraphQL.

I'm trying to make a session expire just like in a normal Laravel application but i can't achieve this.

First I make a request to trigger the csrf-cookie of Sanctum on frontend:

await fetch(`${process.env.VUE_APP_API_HTTP}/api/csrf-cookie`, {
  credentials: 'include'
})

It generates 2 cookies on browser: XSRF-COOKIE and laravel_session

On login I use apollo and store the auth-token after make a login request:

const data = await apolloClient.mutate({
  mutation: Login,
  variables: credentials
})

const token = data.data.login.token

await onLogin(apolloClient, token)


export async function onLogin (apolloClient, token) {
  if (typeof localStorage !== 'undefined' && token) {
    localStorage.setItem(AUTH_TOKEN_NAME, token)
  }
....

So i pass the token and cookie to apolloClient link prop, but i'm not sure if it is needed to pass the XSRF-TOKEN.

const authLink = setContext(async (_, { headers }) => {
  const token = localStorage.getItem(AUTH_TOKEN_NAME)

  return {
    headers: {
      ...headers,
      authorization: token ? `Bearer ${token}` : '',
      'XSRF-TOKEN': Cookie.get('XSRF-TOKEN'),
    }
  }
})

Here is the problem: The login session never expires, even with the cookie laravel_session, i already tried to pass laravel_session as a header on my link connection but it doesn't seems to work.

My Laravel session.php is set 'expire_on_close' => true to be sure i can test it i close the browser and re-open, also i'm sure the cookie is set to expire on close because it says on browser cookies info.

Any idea how can i make the laravel session work on a SPA?

Answer 1

If you are using cookies to manage the session, your .env file should look like this:

SESSION_DRIVER=cookie

You can also define the session lifetime below

SESSION_LIFETIME=120

Suggestion: set lifetime to 1 minute, do a login and wait to see if it expires. Let me know!