0

I’m building an app where my backend is a Laravel API (running on http://localhost:8000) and my frontend is a Next.js 15 app (running on http://localhost:3000).

I want to store the Sanctum token inside an HttpOnly cookie (for XSS/CSRF protection) so when the user logs in via the Laravel API, the cookie will automatically included in requests from both:

  • Next.js Server Components

  • Next.js Client Components

What I tried

On the Laravel side, I issued the token and attached it to a cookie:

$cookie = cookie('auth_token', $token, 60, '/', null, true, true, false, 'lax');

return response()->json([
    'status' => 'success',
    'token'  => $token,
    'user'   => $user->only('id', 'name', 'email', 'phone'),
])->cookie($cookie);

On the Next.js side, I tried two approaches:

1. Rely on Laravel’s cookie

The cookie is created correctly, but it isn’t accessible from my Next.js app since it’s set on a different origin (localhost:8000 vs localhost:3000).

2. Manually set a cookie in Next.js server action

cookieStore.set("auth_token", json.token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === "production",
  sameSite: "lax",
  path: "/",
});
  • This works for server-side requests when I manually add the Bearer token.
  • But for client-side requests, I can’t access the HttpOnly cookie in JavaScript (by design).

Question

How can I properly share the HttpOnly authentication cookie between Laravel (localhost:8000) and Next.js (localhost:3000) so that:

  • The cookie is set once in Laravel after login
  • It is automatically sent with requests from both Next.js server and client components
  • Without exposing the token to JavaScript (still HttpOnly)

Do I need to configure a shared domain (e.g. .myapp.test) instead of localhost for this to work, or is there another recommended way?

Improve this question
5
  • 1
    presumably you will not be running your production site in localhost so I'd recommend you setup your local using a virtual host configuration that best matches live. For example if your live Next.js app would be example.com and your live laravel app will be api.example.com then setup your local under dev.example.com and dev.api.example.com with a virtual host configuration (and modifying your hosts file if needed). This is not to say you can't set it up using localhost but whatever you do will probably break when you go to production Commented Sep 14 at 19:57
  • Is the issue I am facing a common one, or am I doing something unusual by using this method? I also tried changing my /etc/hosts as you described and updating the cookie’s domain to match the virtual host but i still have the same issue. Commented Sep 14 at 20:31
  • 1
    I think typically with a setup like this it's not recommended to share cookies directly. Have a look at laravel sanctum either the token or SPA style authentication may match your use case Commented Sep 14 at 22:08
  • isnt it the same as any other setup like laravel api to react/vue/any-framework/no-framework setup? Make sure that you include the jwt in the json response and mark as http only. Then in the front, submit with credentials Commented Sep 16 at 1:13
  • maybe setup a middleware to only accept from certain urls like your frontend url Commented Sep 16 at 1:15
Related questions
70
Laravel 5.6 - Passport JWT httponly cookie SPA authentication for self consuming API?
3
how to set cookie with httponly flag in vuejs and vuex that cookie cames from server(Laravel)
4
Laravel 8 sanctum api "CSRF token mismatch" 419 error with next.js app
Load 3 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.