Laravel session id changes with each request

Question

I have a Laravel 5.0 site where the frontend JS makes a lot of ajax calls to the backend Laravel code. I've noticed that on each ajax request I'm getting a new "laravel_session" cookie value in the response everytime. I'm guessing that this is some security mechanism to protect against session hijacking.

However I think this is causing an issue with my site, as my ajax calls often happen in parallel, not sequentially. I don't wait for the response before firing the next call.

Consider this scenario

. Ajax call 1 - request - laravel_session cookie = '1234'

. Ajax call 1 - response - laravel_session cookie = '2345'

. Ajax call 2 - request- laravel_session cookie = '2345'

. Ajax call 3 - request- laravel_session cookie = '2345'

. Ajax call 2 - response - laravel_session cookie = '3456'

. Ajax call 3 - response - session not longer valid

Is there any way around this?

I should also note that sessions are set to expire in the config/session.php as 'lifetime' => 120,

Answer 1

You are right it is a security mechanism. To disable it for testing, in Kernel.php comment out this line:

\App\Http\Middleware\EncryptCookies::class

Then you will see the session ID in your cookie viewer and it doesn't change.

You can Google for HTTP encrypted cookies to learn about the practice. There is an ongoing debate if this old practice is necessary now that we use HTTPS on every website.

Answer 2

Your domain is invalid. You need to look at config.session.domain and config.session.path.