How to disable cookies in Laravel 5?

Asked 21/6, 2015 at 12:43 Answered 26/11, 2020 at 17:42

php cookies laravel-5 single-page-application

I'm having single-page app made on Laravel 5.1. I use localStorage to keep API key and I don't need cookies. Laravel creates two cookies for me:

XSRF-TOKEN
laravel_session

If I set SESSION_DRIVER to array in my environment config, laravel_session cookie is no longer generated.

But I think there might be a problem with XSRF-TOKEN cookie, because I found out this piece of code in VerifyCsrfToken middleware class:

public function handle($request, Closure $next)
{
    if ($this->isReading($request) || $this->shouldPassThrough($request) || $this->tokensMatch($request)) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

And addCookieToResponse method looks like this:

protected function addCookieToResponse($request, $response)
{
    $config = config('session');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), time() + 60 * 120,
            $config['path'], $config['domain'], false, false
        )
    );

    return $response;
}

It seems like it sets this cookie no matter what. I could disable this middleware, but I want to use it to verify CSRF token with HTTP headers. Can I disable cookies completely?

Labarum answered 21/6, 2015 at 12:43 Comment(7)

If you are using laravel fro API using tokens, why not disable the VerifyCsrfToken middleware completely ? This uses cookies which you don't care about. You can disable by going to app/http/Kernel.php and comment the line – Uttermost 2/11, 2015 at 16:13

just for more background information, what is the reason for wanting to disable cookies? – Zipnick 2/11, 2015 at 21:47

@Zipnick There is a law that makes it obligatory to inform user about cookies if you use any. I don't need them, so I would rather disable them and be free from that "We are using cookies" information :) – Labarum 2/11, 2015 at 22:1

First party cookies which are essential for a site to work are exempt and do not require you (EU cookie law) to inform the user (depending on their nature). The default Laravel session cookie would be exempt in this case. The laws were relaxed a while ago – Zipnick 2/11, 2015 at 22:7

Also, using local storage doesn't mean you don't have to gain consent. Local storage is also covered in the legislation – Zipnick 2/11, 2015 at 22:8

@Zipnick Yes I'm aware that local storage is also included in this law. Do I say "local storage" instead of "cookies" then? :) I need to dive deeper into this law and see what is included and what is excluded there. I find that law quite weird to be honest. – Labarum 2/11, 2015 at 22:20

yeah it seems to have caused quite a bit of confusion. Here is a good article to get you started: ec.europa.eu/ipg/basics/legal/cookies/index_en.htm – Zipnick 2/11, 2015 at 22:42

Simply comment out the lines in app\Http\Kernel.php which related to cookies and sessions. The following ones which I found;

\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,

Hope it helps.

Pamphleteer answered 12/11, 2015 at 2:31 Comment(2)

You can send CSRF token via HTTP header, of course, but you have to store the token on the client-side. So if you willing to disable cookies you have to figure out how to transmit and store the token received from back-end. Maybe localstorage come in handy to store. And also sending procedures is on you as well, i.e. setting proper HTTP header. – Pamphleteer 18/11, 2015 at 0:6

just use <meta name="csrf-token" content="{{ csrf_token() }}"> in the header and then use headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') }, in ajax calls (jquery example). however, laravel still throws error "Session store not set on request.", and i don't know why – Godbeare 26/5, 2020 at 10:19

As of 5.7.0 the XSRF-TOKEN cookie is now optional. In order to disable it you just need to set the following in your /app/Http/Middleware/VerifyCsrfToken.php file.

protected $addHttpCookie = false;

https://github.com/laravel/framework/commit/3ff7040663b81d8f01939edd2cb67d3214ec91b8

Wil answered 19/9, 2019 at 11:47 Comment(0)

I've just tested this in Laravel 6.0.
To have CSRF middleware running, and Laravel adding no cookies you need to disable (comment out) the following middleware:

\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,

This will prevent Laravel from adding the laravel_session cookie.

To disable adding XSRF-TOKEN cookie, open up \App\Http\Middleware\VerifyCsrfToken::class middleware and set $addHttpCookie property to false

Sauers answered 7/10, 2019 at 8:41 Comment(1)

but when you don't use StartSession, you always get message": "Session store not set on request.", when doing some post request when trying to verifycsrftoken. i want to use session, but don't use cookies, like normal php session_start() no cookies needed. it is so ridiculous that this is so difficult in laravel – Godbeare 26/5, 2020 at 10:16

Be careful, removing the StartSession middleware does remove the whole csrf token, as the csrf_token function fetch app('session')->token().

However, there's a line in the StartSession middleware when it tries to set the cookie and it checks if the driver is not null (sessionIsPersistent) but if I set it to null, I can't get past the "Unable to resolve NULL driver for Illuminate\Session\SessionManager

Kendra answered 26/11, 2020 at 17:42 Comment(0)

Recommended topics

Hot tags