Laravel can't retrieve session, unable to decrypt session cookie

Hi,
I set up Auth0 with Laravel 9 and I’m facing a few problems.

The problem I want to discuss in this topic is the management of the session.

It appears not to be working properly.
I set the session driver to “file” as recommended, but if I enable the debugger to stop on any exception, I see that Laravel always raises an exception for being unable to decrypt the session cookie.

Consequently, SOMETIMES but not every time, it cannot find the auth()->user() and store it in request()->user(), and that causes everything else to fail, pretty much, but the critical failure that Laravel raises is “session not stored on request”.
Other times it just finds the auth()->user(), even if the session cookie decryption fails EVERY TIME.

What is going on here?

A bit more context:

  • this website has a few subdomains ran within the same Laravel app, and the authentication in 1 subdomain should be valid for all the rest
  • I had to use a custom user repository to get a proper user model from the auth()->user() helper function. I need a proper user model mostly because I’m using the Spatie Permission package to manage roles and permissions, and I need to be able to call methods such as auth()->user()->role(‘Administrator’)

Env file

AUTH0_DOMAIN=mytenant.eu.auth0.com
AUTH0_CLIENT_ID=secret
AUTH0_CLIENT_SECRET=secret
AUTH0_COOKIE_SECRET=secret
AUTH0_COOKIE_DOMAIN=.mybasedomain.com
AUTH0_ROUTE_HOME=/

SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_DOMAIN=.mybasedomain.com

App\Models\User

use Auth0\Laravel\Contract\Model\Stateful\User as Auth0StatefulUser;
// use .. other stuff

class User extends Authenticatable implements Auth0StatefulUser, MustVerifyEmail
{
    use Notifiable, SoftDeletes, HasRoles, CanResetPassword, Metable;
    // ...
}

config\auth

<?php

return [
    'defaults' => [
        'guard' => 'auth0',
        //'guard' => 'web',
        'passwords' => 'users',
    ],

    'guards' => [
        'auth0' => [ // spatie permissions will use the first guard as default
            'driver' => 'auth0',
            'provider' => 'auth0',
        ],

        /*'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
 
        'api' => [
            'driver' => 'passport',
            'provider' => 'users',
        ],*/
    ],

    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\Models\User::class,
        ],

        'auth0' => [
            'driver' => 'auth0',
            'repository' => App\Auth\CustomUserRepository::class,
            'model' => App\Models\User::class, // needed by spatie permission. No, we're not using auth0 permissions.
            //'repository' => \Auth0\Laravel\Auth\User\Repository::class
        ],
    ],

    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => 'password_resets',
            'expire' => 60,
            'throttle' => 60,
        ],
    ],

    'password_timeout' => 10800,

];

App\Auth\CustomUserRepository

<?php

declare(strict_types=1);

namespace App\Auth;

use App\Models\User;



class CustomUserRepository implements \Auth0\Laravel\Contract\Auth\User\Repository
{   
    public function fromSession(array $user): ?\Illuminate\Contracts\Auth\Authenticatable 
    {
        return User::firstWhere('email', $user['email']);
    }

    public function fromAccessToken(array $user): ?\Illuminate\Contracts\Auth\Authenticatable 
    {
        // Simliar to above. Used for stateless application types.
        return null;
    }
}

Is it really necessary to use the session file driver anyways? I’d like to use the database driver in order to throttle the origin IP requests.

Hi @valentinomariotto were you ever able to resolve this? I am facing the same issue.

1 Like