AuthenticateSession middleware causes intermittent 401s after v12.45.0 upgrade

[ams-ryanolson]

Laravel Version

12.45.0

PHP Version

8.3

Database Driver & Version

No response

Description

After upgrading from Laravel v12.44.0 to v12.45.0, users experience intermittent 401 Unauthenticated errors on API routes that use Sanctum's stateful authentication. This occurs even with completely fresh logins - not just existing sessions.

The issue appears related to PR #58107 which changed the remember token to store a MAC instead of the password hash. While the stated goal was to prevent session forgery if password hashes leak, the change seems to break session validation when AuthenticateSession middleware is enabled alongside Sanctum stateful auth.

Behavior observed:

• Fresh login succeeds
• Initial page navigation works (Inertia/web routes)
• API requests intermittently return 401 Unauthenticated
• After a 401, refreshing the page logs the user out completely
• Re-logging in temporarily works, then the cycle repeats

Environment:

• Laravel v12.45.0 (works on v12.44.0)
• Sanctum with stateful authentication (SPA)
• AuthenticateSession middleware enabled in web group
• Redis session driver
• Inertia.js frontend making API calls to /api/* routes

The API routes use Sanctum's stateful middleware and share sessions with the web routes. The issue does not occur when AuthenticateSession middleware is disabled, or when staying on v12.44.0.

Steps To Reproduce

1. Start with a fresh Laravel 12 app with Sanctum configured for stateful SPA auth
2. Enable AuthenticateSession middleware in bootstrap/app.php:
   ->withMiddleware(function (Middleware $middleware) {
   $middleware->web(append: [AuthenticateSession::class]);
   })
3. Configure Sanctum stateful domains in config/sanctum.php
4. Create an API route behind auth:sanctum middleware
5. Upgrade to laravel/framework v12.45.0
6. Clear all sessions/cookies, open incognito browser
7. Log in with valid credentials
8. Navigate around - works initially
9. Trigger an API call (e.g., search autocomplete, any /api/* route)
10. Observe 401 Unauthenticated response
11. Refresh page - user is now logged out

[ams-ryanolson]

Update: Found the root cause - this is a Sanctum compatibility issue

After further investigation, I discovered the actual conflict:

When $middleware->authenticateSessions() is enabled alongside Sanctum stateful auth, both Laravel's AuthenticateSession and Sanctum's AuthenticateSession run on API requests. Laravel's version (updated in #58107) now stores password hashes as HMACs, but Sanctum's version still expects raw hashes.

This causes the mismatch:

1. Login via web → Laravel's middleware stores password_hash_web as HMAC
2. API request → Sanctum's middleware compares against raw hash → mismatch → logout

Opened a companion issue on Sanctum: laravel/sanctum#577

This framework issue can likely be closed as "not a bug" - the fix needs to be in Sanctum.

[crynobone]

Fixed via laravel/sanctum#578