I am making an AJAX request from a subdomain to main domain. I have set up CORS so that subdomain is attached automatically to the allowed domain listing. I am getting a 419 (unknown status) error and upon dumping the error I found out that I am getting TokenMissmatchException.
I noticed also that that is infact true because I also saw:
"_token" => "h7I07Iv0m4sF7XHhXjtygnfCtITgzCi3Ml8lfT7Z" // <-- sent
"_token" => "N118Izko7j5uf851MpijBXInFLaUVicRdf9uw3h4" // <-- in session
I am obviously sending token with my AJAX request as I see it in the headers section when inspecting the request.
I suppose there is some missmatch going on because I am traversing from my subdomain to my domain.
How can I align tokens across my main domain and all subdomains so that I don't get an exception?
NOTE
All AJAX routes are receiving a token from
<meta name="csrf-token" content="{{ csrf_token() }}">
Attaching it to every request in
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
EDIT
I have placed this under session.php
"domain" => "." . env('APP_URL'),
because of the cookies, even though honestly I'm not sure what it does
Session sharing across multiple domain..... There can be tweaks to do it. To make a cookie available in all the sub-domains you need to assign it to the root domain.
session.cookie_domain = ".example.com"
Personally I would recommend a different approach (but it also depends on other factors upon which I don't have full visibility from your question....)
Perform the ajax call from/to the same subdomain (CSRF middleware protected, standard CSRF usage) On the controller perform a server to server backend call to your main domain (e.g. a curl_exec )
The server to server call is not visible and you can protect it... e.g. at network level or by adding an Oauth server if the two domain communicates through internet.