419 page Expired when sharing sessions across many Laravel projects
Hey guys, I'm facing a problem since I have two differents websites that share the sessions.
1 Laravel website (InertiaJS project)
1 Laravel website with only FilamentPHP installed on it
They share the laravel sessions across a Redis database.
In my .env on both projects, I have this :
Any idea on how to help me solving this issue ?
Don't know if it's related to Laravel, FilamentPHP or Livewire... but what I can say is that I only got the 419 error on the Filament project.
15 Replies
can u share the
APP_NAME and the APP_KEY for both projects?
well no need to share it, they must be the same
are they the same?Yep, I've double check and APP_NAME/APP_KEY are exactly the same on both projects.
And it happen when I do a request on site A (InertiaJS), then I go back to site B (Livewire/Filament) and there is a "POST /update" request that is done, it failed on it.
POST /livewire/update
this endpoint
Here is my cookie, probably samesite?
what this endpoint does?
I don't know... It's something from Livewire used by FilamentPHP. It's not from my project directly.
I think it's for making a hot-reload, a "SPA" like.
so u have a main app or both are in the same level?
i mean, the inertiajs project is the one holding authentication features, or both projects handle this auth features, such as login, register?
There is 2 differents applications (both of them are running on same Laravel/PHP, but with different code).
-> The sessions are stored in a database Redis
-> All .env has been updated
Websites are runing on a sub-domains, but the "main" domains is the same:
- backoffice.myproject.com
- dashboard.myproject.com
not related
(a funny thing is that ive already handled sharing sessions between different inertiajs apps
and ive already handled sharing sessions between different filament apps
but ive never handled sharing sessions between a inertiajs app and a filament app bruh)
And the login is runned by a 3rd project (VueJS/Laravel - not InertiaJS)
looks cool
🤔
so u actually share session between 3? (its fine)
yes
but it work perfectly between the "Vue/Laravel - not InertiaJS" project and the site A (Laravel/InertiaJS)
The problem I think is because of Livewire (not filament directly).
OK! I found the solution!!
In VerifyCsrfToken, I've added
livewire/* to the excepts URL.i see. well its hard to tell what could be happening. so the SESSION_DRIVER for all 3 is redis, right?
and the APP_URL ? i think the app url is not that important, but just to ensure it
oh god
Yeees, on redis we have 4 databases:
DB0 = shared sessions
DB1 = website Laravel / VueJS - not InertiaJS: only for cache
DB2 = website Laravel / InertiaJS: cache + queue (horizon)
DB3 = website FilamentPHP: cache + queue (horizon)
but u should be able to use csrf tokens despite sharing sessions across laravel apps
It's a solution, but i'm not sure if you want that though.
by excluding livewire/* from CSRF checks, you're allowing all requests targeting Livewire components to bypass this protection. If any of your Livewire components perform state-changing operations (like updating user data, posting content, etc.), they could be exploited, so be careful
But it really look like an internal bug from Livewire