How to disable cookies in Laravel 5?
Solution 1
Simply comment out the lines in app\Http\Kernel.php
which related to cookies and sessions. The following ones which I found;
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
Hope it helps.
Solution 2
As of 5.7.0 the XSRF-TOKEN
cookie is now optional. In order to disable it you just need to set the following in your /app/Http/Middleware/VerifyCsrfToken.php file.
protected $addHttpCookie = false;
https://github.com/laravel/framework/commit/3ff7040663b81d8f01939edd2cb67d3214ec91b8
Solution 3
I've just tested this in Laravel 6.0.
To have CSRF middleware running, and Laravel adding no cookies you need to disable (comment out) the following middleware:
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
This will prevent Laravel from adding the laravel_session
cookie.
To disable adding XSRF-TOKEN
cookie, open up \App\Http\Middleware\VerifyCsrfToken::class
middleware and set $addHttpCookie
property to false
Related videos on Youtube
Robo Robok
Updated on June 04, 2022Comments
-
Robo Robok almost 2 years
I'm having single-page app made on Laravel 5.1. I use localStorage to keep API key and I don't need cookies. Laravel creates two cookies for me:
- XSRF-TOKEN
- laravel_session
If I set
SESSION_DRIVER
toarray
in my environment config,laravel_session
cookie is no longer generated.But I think there might be a problem with
XSRF-TOKEN
cookie, because I found out this piece of code inVerifyCsrfToken
middleware class:public function handle($request, Closure $next) { if ($this->isReading($request) || $this->shouldPassThrough($request) || $this->tokensMatch($request)) { return $this->addCookieToResponse($request, $next($request)); } throw new TokenMismatchException; }
And
addCookieToResponse
method looks like this:protected function addCookieToResponse($request, $response) { $config = config('session'); $response->headers->setCookie( new Cookie( 'XSRF-TOKEN', $request->session()->token(), time() + 60 * 120, $config['path'], $config['domain'], false, false ) ); return $response; }
It seems like it sets this cookie no matter what. I could disable this middleware, but I want to use it to verify CSRF token with HTTP headers. Can I disable cookies completely?
-
codegeek over 8 yearsIf you are using laravel fro API using tokens, why not disable the VerifyCsrfToken middleware completely ? This uses cookies which you don't care about. You can disable by going to app/http/Kernel.php and comment the line
-
ExoticChimp over 8 yearsyeah it seems to have caused quite a bit of confusion. Here is a good article to get you started: ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
-
ozanmuyes over 8 yearsYou can send CSRF token via HTTP header, of course, but you have to store the token on the client-side. So if you willing to disable cookies you have to figure out how to transmit and store the token received from back-end. Maybe localstorage come in handy to store. And also sending procedures is on you as well, i.e. setting proper HTTP header.
-
user151496 almost 4 yearsbut when you don't use
StartSession
, you always get message": "Session store not set on request.", when doing some post request when trying to verifycsrftoken. i want to use session, but don't use cookies, like normal phpsession_start()
no cookies needed. it is so ridiculous that this is so difficult in laravel -
user151496 almost 4 yearsjust use
<meta name="csrf-token" content="{{ csrf_token() }}">
in the header and then useheaders: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') },
in ajax calls (jquery example). however, laravel still throws error"Session store not set on request.",
and i don't know why