Axios is not sending cookies
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
The Silent Failure: Why Axios Isn't Sending Your httpOnly Cookies in Cross-Origin Requests
As senior developers working with modern full-stack frameworks like Laravel and VueJS, we often encounter subtle but frustrating issues related to session management and cross-origin communication. One particularly tricky scenario involves using secure mechanisms like httpOnly cookies for token handling.
I recently encountered a situation where my client-side application (VueJS using Axios) was failing to send necessary session information—specifically an httpOnly refresh token cookie—to the Laravel backend when attempting a token refresh via a POST request. Despite setting withCredentials: true, the server-side logging showed no cookie was present, leading to confusion about browser security and cookie storage mechanisms.
This post will dissect why this happens, explore the complexities of httpOnly cookies in an AJAX context, and outline the most secure and practical way to handle authentication flows between a decoupled frontend and a Laravel API.
Deconstructing the Cookie Mystery
The core of the issue lies not necessarily with Axios configuration, but with how browsers enforce security policies regarding cookies, especially those marked httpOnly.
The Illusion of Storage Location
The confusion surrounding where cookies are stored (e.g., in SQLite files) stems from the fact that these files represent the browser's internal state. While it is technically true that cookies reside within the browser's storage mechanism, relying on direct filesystem access for application logic is fundamentally insecure and impractical. The browser manages this data strictly according to security policies.
HTTP-Only Security Implications
The httpOnly flag is a crucial security measure implemented by the browser. It prevents client-side JavaScript (like the code running in your VueJS app) from accessing the cookie via document.cookie. This is designed to mitigate Cross-Site Scripting (XSS) attacks, ensuring that even if an attacker injects malicious script, they cannot steal session tokens directly.
However, this security feature creates a hurdle for token refreshing:
- Client Inability: Since JavaScript cannot read the cookie, it cannot manually package it into the request headers as easily as plain cookies.
- Browser Enforcement: For a browser to automatically attach an
httpOnlycookie to a cross-origin request, specific CORS and credential settings must be perfectly aligned.
Analyzing the Axios Interaction
In your scenario, you correctly set withCredentials: true in Axios and ensure the server sends Access-Control-Allow-Credentials: true. This tells the browser that credentials should be sent. The failure often indicates a mismatch in the application context or strict SameSite policies interacting with the cross-origin setup.
When dealing with token refreshing, relying solely on an httpOnly cookie for the refresh mechanism can become overly complex, especially when integrating with modern Single Page Applications (SPAs).
A Modern, Robust Solution: Token-Based Authentication
For decoupled applications like a Laravel API serving a VueJS frontend, the industry best practice is to shift the primary authentication mechanism away from relying solely on session cookies for token exchange and towards using JSON Web Tokens (JWTs).
Instead of trying to force an httpOnly cookie to work seamlessly across complex CORS boundaries:
- Access Token in Client: The short-lived
access_tokenshould be stored securely, typically in memory or session storage on the client side, which is accessible by Axios. - Refresh Token Management (Server-Side Focus): The long-lived
refresh_tokenshould remain secured entirely on the server. When a refresh is needed, the client sends this token to a dedicated Laravel endpoint (/v1/refresh). - Cookie for Refresh Token Security: If you must use cookies for the refresh token (as you are doing), ensure that the cookie is configured with the strictest possible settings:
HttpOnly,Secure(only sent over HTTPS), and appropriateSameSitepolicies (StrictorLax). This ensures the browser handles the transmission automatically, minimizing client-side complexity.
The Laravel framework provides excellent tools for managing these token flows cleanly. For robust session management in a Laravel application, leveraging features like Sanctum or Passport allows you to manage these tokens securely on the server, which is where the true authority lies. For deeper dives into secure API design within the Laravel ecosystem, exploring official documentation on authentication strategies can be very helpful, much like learning about proper resource handling in laravelcompany.com.
Conclusion
The failure to retrieve the cookie was likely a symptom of the inherent tension between browser security features (httpOnly) and cross-origin request mechanisms. While setting withCredentials: true is essential, it requires strict adherence to CORS policies. For modern Laravel/VueJS setups, favouring token-based exchange for API calls while securely managing refresh tokens on the server often provides a more predictable, secure, and maintainable architecture than wrestling with complex cookie transmission issues across domains.