Laravel POST Request Issues on Azure Web App with MySQL Database - XSRF Token Domain Error

lucasg · June 26, 2025, 9:02pm

I have a Laravel app running on Azure Web App with MySQL Flexible Server. When I try to make POST requests, I get an error saying “The XSRF-TOKEN cookie was rejected for having an invalid domain.”

The app works fine locally but fails on Azure. I suspect it might be related to HTTPS/HTTP configuration or session settings. The browser shows the connection as not secure.

My authentication request class:

<?php
namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Validation\ValidationException;

class AuthRequest extends FormRequest
{
    public function authorize(): bool
    {
        return true;
    }

    public function rules(): array
    {
        return [
            'email' => ['required', 'string'],
            'password' => ['required', 'string']
        ];
    }

    public function attemptLogin(): void
    {
        if(!Auth::attempt($this->only('email', 'password'), $this->boolean('remember'))){
            RateLimiter::hit($this->throttleKey());
            
            throw ValidationException::withMessages([
                'email' => 'Invalid credentials',
                'password' => 'Wrong password',
            ]);
        }
        RateLimiter::clear($this->throttleKey());
    }

    public function throttleKey(): string
    {
        return Str::lower($this->string('email')).'|'.$this->ip();
    }
}

Controller method:

public function handleLogin(AuthRequest $request)
{
    $request->attemptLogin();
    $request->session()->regenerateToken();
    
    return redirect()->route('home');
}

Routes:

Route::get('/auth', [AuthController::class, 'show'])->name('auth');
Route::post('/auth', [AuthController::class, 'handleLogin'])->name('authenticate');

What Azure configuration changes do I need to make this work? Should I modify session settings or add specific environment variables?

ameliat · July 4, 2025, 10:57pm

This usually happens when Laravel can’t set the CSRF token cookie properly - sounds like an HTTPS issue since your connection shows as “not secure”. First, check your config/session.php file. If you’re not using HTTPS, set secure to false. If you are using HTTPS, make sure your SSL certificates are configured correctly in Azure. Next, verify your .env file. The SESSION_DOMAIN needs to match your Azure domain exactly - including any subdomains. Also try adding SESSION_SAME_SITE=lax to your environment variables. Azure can be pretty strict with cookie policies. I ran into the same thing when I deployed to Azure. After making these changes, you need to clear your cache or nothing will work. Run php artisan config:cache and php artisan view:clear in your deployment pipeline.

HappyDancer99 · July 3, 2025, 5:30am

Had this exact problem migrating from shared hosting to Azure Web App last year. Your APP_URL environment variable probably doesn’t match your Azure domain. Check your Azure portal config and make sure APP_URL points to your exact Azure Web App URL. Also verify your session driver is set to database or redis instead of file - Azure’s filesystem screws with sessions. In your session config, try setting the domain to null instead of a specific domain. This fixed it for me. Check if you’ve got custom middleware interfering with CSRF token validation too. The “not secure” connection means you probably need to force HTTPS in your AppServiceProvider boot method with URL::forceScheme(‘https’). Make sure your Azure Web App has HTTPS Only enabled in the TLS/SSL settings.