I have a strange issue with my Laravel project. Can’t find out, when it first strated – I can only login/logout opening the app in incognito tab. And in normal tab it won’t log me out, when I am already logged in and after I deleted the session info in the storage I was unable to ever login.
I have set a SESSION_DOMAIN previously in the env because I had another issue with being unable to login with Laravel Socialite on www.* subdomain but later deleted the SESSION_DOMAIN property, because it did not solve the issue.
UPDATE
It seems that the problem has occured because I have set and SESSION_DOMAIN in .env file. When I do that during logging in on local environment, the problem occures even when I am in incognito tab. Though I can remove and then reload the incognito pages again and the problem dissapears for incognito tabs.
Advertisement
Answer
I didn’t use Laravel, so might not fully understand how SESSION_DOMAIN should work there, but the problem seems to be due to existing a cookie set on higher domain.
For example, your code is working on domain ‘sales.domain.com’. When you create a session in Laravel, it would put a cookie that’s valid on that domain. It then can be removed using the same “set cookie” request but with date in the past. This is how it normally works.
But if someone (maybe your code) some time ago also set a cookie with the same name, but valid on all subdomains or ‘.domain.com’, it can’t be removed by “set cookie” request that removes it from ‘sales.domain.com’.
To check this, use Firebug or Chrome dev tools to see the request header when doing request to ‘sales.domain.com’ and just ‘domain.com’. Note the “Cookie” header. If the same cookie is present on both request, this confirms my guess. You can solve this by clearing cookies in browser.
See also https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path