Laravel can't retrieve session, unable to decrypt session cookie

I set up Auth0 with Laravel 9 and I’m facing a few problems.

The problem I want to discuss in this topic is the management of the session.

It appears not to be working properly.
I set the session driver to “file” as recommended, but if I enable the debugger to stop on any exception, I see that Laravel always raises an exception for being unable to decrypt the session cookie.

Consequently, SOMETIMES but not every time, it cannot find the auth()->user() and store it in request()->user(), and that causes everything else to fail, pretty much, but the critical failure that Laravel raises is “session not stored on request”.
Other times it just finds the auth()->user(), even if the session cookie decryption fails EVERY TIME.

What is going on here?

A bit more context:

  • this website has a few subdomains ran within the same Laravel app, and the authentication in 1 subdomain should be valid for all the rest
  • I had to use a custom user repository to get a proper user model from the auth()->user() helper function. I need a proper user model mostly because I’m using the Spatie Permission package to manage roles and permissions, and I need to be able to call methods such as auth()->user()->role(‘Administrator’)

Env file



use Auth0\Laravel\Contract\Model\Stateful\User as Auth0StatefulUser;
// use .. other stuff

class User extends Authenticatable implements Auth0StatefulUser, MustVerifyEmail
    use Notifiable, SoftDeletes, HasRoles, CanResetPassword, Metable;
    // ...



return [
    'defaults' => [
        'guard' => 'auth0',
        //'guard' => 'web',
        'passwords' => 'users',

    'guards' => [
        'auth0' => [ // spatie permissions will use the first guard as default
            'driver' => 'auth0',
            'provider' => 'auth0',

        /*'web' => [
            'driver' => 'session',
            'provider' => 'users',
        'api' => [
            'driver' => 'passport',
            'provider' => 'users',

    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\Models\User::class,

        'auth0' => [
            'driver' => 'auth0',
            'repository' => App\Auth\CustomUserRepository::class,
            'model' => App\Models\User::class, // needed by spatie permission. No, we're not using auth0 permissions.
            //'repository' => \Auth0\Laravel\Auth\User\Repository::class

    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => 'password_resets',
            'expire' => 60,
            'throttle' => 60,

    'password_timeout' => 10800,





namespace App\Auth;

use App\Models\User;

class CustomUserRepository implements \Auth0\Laravel\Contract\Auth\User\Repository
    public function fromSession(array $user): ?\Illuminate\Contracts\Auth\Authenticatable 
        return User::firstWhere('email', $user['email']);

    public function fromAccessToken(array $user): ?\Illuminate\Contracts\Auth\Authenticatable 
        // Simliar to above. Used for stateless application types.
        return null;

Is it really necessary to use the session file driver anyways? I’d like to use the database driver in order to throttle the origin IP requests.