#CSRF Token mismatch with Laravel's artisan serve

Laravel provides composer run dev to run a development server. This development server is run on localhost and therefore login sessions do not appear to work (CSRF token mismatch). Without excluding CSRF tokens entirely, what is the best approach to solve this issue?

1. I attempted to add localhost to the SESSION_DOMAIN env, but that did not appear to resolve it. Is there a value that solves this problem?
2. Is there a simple way to add a domain to the development server? I found some very brief documentation regarding php artisan serve (which is responsible for running the server under the hood), however, when I do that, it seems Vite and all the other associated commands with composer run dev seem to fail. Any documentation regarding this?

Very odd to me that Laravel provides a development server, but ultimately, it seems rather useless in most application (e.g. no sessions) due to CSRF token. I can spin up my own local server, but would prefer to have a working development server built in for future developers to leverage.

Sessions should work on localhost, it does for me.
Check if you have SESSION_SECURE_COOKIE set to true, that needs to be false on localhost

In Chrome dev tools, in the Network tab and "Response headers", you should be able to see why cookies aren't working (assuming that's the problem). There's a red/orange warning icon next to the set-cookie header string

Based on the config, "SESSION_SECURE_COOKIE" is false by default; I haven't changed that.

One note, is I am attempting to login with Laravel Nova.

Open dev tools and refresh the login page to check cookies

I can see in the dev tools that the CSRF token is being set from the login form and sent in the request.

I can also see in the dev tools that a TOKEN= is set and session as well.

If I create a CSRF token exemption for /nova it does function properly. However, for obvious reasons, I don't want to do that even in a local environment as bugs could be masked.

That's definitely weird

So sessions are working otherwise, you can login, click around etc?

If I exempt /nova* from CSRF, yes, it all appears to work without issue.

What is also very bizzare to me, is if I google for "Laravel Nova CSRF token mismatch" I really do not get any relevant results. Apparently no one is attempting to use Laravel Nova with the built-in Laravel local development server?!

I just tried in an app, it work fine, so there's something going on with your setup

Although I tested with a not updated version of Nova, so it could also be something new

Issue turns out to be some (unknown what) incompatibility with Eloquent UUIDs and CSRF tokens.

I don't understand how Eloquent and CSRF would be related

I'm with you on that. However, I think it somehow is related to the session. Although, I know from disabling CSRF, that session can indeed work. It is extremely puzzling.