🌐 Web Session Flow¶

%%{init: {'themeVariables': {'fontSize': '17px'}, 'sequence': {'useMaxWidth': true, 'actorFontSize': 17, 'messageFontSize': 16, 'noteFontSize': 15, 'mirrorActors': false}}}%%
sequenceDiagram
    participant Browser
    participant Sanctum
    participant Controller as AuthenticatedSessionController
    participant Inertia as Inertia Response

    Browser->>Sanctum: GET /sanctum/csrf-cookie
    Sanctum-->>Browser: Set XSRF cookie + session cookie
    Browser->>Controller: POST /login (email, password, X-XSRF-TOKEN)
    Controller->>AccountsGuard: Validate credentials & organization scope
    AccountsGuard-->>Controller: Authenticated user + active organization
    Controller-->>Browser: Issue `web` session cookie + redirect to dashboard
    Browser->>Inertia: GET /dashboard (with session + XSRF header)
    Inertia-->>Browser: Render React page with server props (user, org context)

Highlights¶

• Inertia runs as a modern monolith: no REST API hop is required—controllers (app/Http/Controllers/Auth/AuthenticatedSessionController.php) return Inertia responses directly.
• Sanctum keeps first-party cookies (session + XSRF) so every request stays on the same domain without CORS/OAuth overhead.
• Middleware sets the organization/team context before props are shared, so React pages receive the correct Spatie permission scope.
• Ideal for browser-based supporters, artists, and label managers interacting through the session guard.