Laravel sanctum csrf cookie every request?
Stefan Izdrail
Founder & Senior Architect · 2026-06-29
Title: Laravel Sanctum's Role in CSRF Protection and User Authentication
Introduction: Laravel Sanctum (previously known as Airlock) is a powerful authentication package that simplifies application development by providing token-based authentication, API support, and improved security. In this post, we explore its role in handling Cross-Site Request Forgery (CSRF) protection and user authentication.
Body:
1. Understanding Laravel Sanctum's CSRF Protection Mechanism
Laravel Sanctum is designed to protect your application against CSRF attacks by ensuring that each request comes from a trusted source. It requires two specific steps in the process, firstly initializing the CSRF protection through a GET request at `/sanctum/csrf-cookie` and then using an API token to authenticate the user in subsequent requests.
2. Initializing CSRF Protection via `/sanctum/csrf-cookie`
The first step in Laravel Sanctum is to establish a secure connection between the client and server by making a GET request at `/sanctum/csrf-cookie`. This response generates a unique CSRF token and sets CSRF protection for your application. By setting this cookie before any critical actions, you ensure that only trusted requests can perform these operations:
axios.get('/sanctum/csrf-cookie').then(response => {
// Login... });
3. Authentication via `/login` and the LaravelUI Package
Once CSRF protection has been initialized, subsequent requests can be authenticated through a POST request to `/login`. This can be provided by various methods, such as using Laravel's built-in authentication or an external package like LaravelUI. Laravel's UI package simplifies the login process and offers prebuilt templates for both login pages and password reset emails:
Laravel's Default Login Example:
Route::get('/login', function () {
return view('auth.login');
});
Route::post('/login', [LoginController@authenticate]);
LaravelUI Authentication Example:
// Install LaravelUI package via composer
composer require laravelcollective/html -> "*"
// Register service provider and add routes
Config::set('auth.guards', [
'web' => [
'driver' => 'session',
'provider' => 'users',
'login_path' => '/login',
'logout_url' => '/logout',
],
]);
Route::get('/', function () {
return view('welcome');
});
Route::get('/login', function () {
return redirect()->guest(route('auth.login'));
});
4. Combining CSRF Protection and User Authentication for Seamless Experience
To ensure consistent user experience, your application should provide clear guidance on how users can navigate and handle authentication-related tasks. For example:
- Enable automatic login after registering a new user. This eliminates having to redirect to the login page after registration, improving user experience while still maintaining appropriate security measures.
- Provide clear instructions or prompts for actions that require an authenticated user (e.g., setting the proper role, access levels, and privileges).
- Ensure that all critical operations are only accessible to authorized users through your chosen authentication gateways.
Conclusion: Laravel Sanctum offers a comprehensive solution to address CSRF protection and simplify the process of user authentication in your applications. By establishing secure connections through CSRF tokens, you can provide enhanced security while maintaining an excellent user experience for your audience. Remember that proper planning with clear guidelines will ensure seamless integration of these features into your Laravel projects.