The login button must be pressed twice

Hello,
A website is designed with React and its backend is Laravel. After entering my username and password, when I click the login button, the page refreshes and I have to enter my username and password again to log in to the website. The web server is Nginx and its report is as follows:

# cat /var/log/nginx/access.log
X.X.X.X - - [04/May/2025:02:31:49 -0700] "POST /api/login HTTP/1.1" 200 456 "http://X.X.X.X/auth/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
X.X.X.X - - [04/May/2025:02:31:49 -0700] "GET /assets/images/user-profile.jpeg HTTP/1.1" 304 0 "http://X.X.X.X/auth/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
X.X.X.X - - [04/May/2025:02:31:49 -0700] "GET /icon.png?f7318d50153a74aa HTTP/1.1" 200 3287 "http://X.X.X.X/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
X.X.X.X - - [04/May/2025:02:31:49 -0700] "GET /assets/images/logo.png HTTP/1.1" 404 4630 "http://X.X.X.X/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
X.X.X.X - - [04/May/2025:02:31:49 -0700] "GET /icon.png?f7318d50153a74aa HTTP/1.1" 200 3287 "http://X.X.X.X/auth/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
X.X.X.X - - [04/May/2025:02:31:49 -0700] "GET /api/user-current HTTP/1.1" 200 365 "http://X.X.X.X/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"

Is this a bug in the website coding or the web server settings?

Thank you.

This is a coding issue, not a web server problem. The POST /api/login returns 200, but the login state isn’t persisted—suggesting missing cookies, tokens, or session logic in the frontend/backend.

You can start by inspecting the network tab in your browser’s dev tools to see if the login response sets any cookies or returns a token. Then, check whether the frontend stores this token (e.g. in localStorage or a cookie) and includes it in the Authorization header or withCredentials flag on subsequent API requests.

And since you mentioned the page refreshes when you click the login button, it’s also possible that the JavaScript isn’t intercepting the form submit—make sure the login handler is correctly wired up and calls event.preventDefault() to avoid a full page reload.

Is it the exact same URL before and after or is the host-name (www. vs no www) changing?

If so, it’s likely that the link you are clicking on to get to the login page uses one variation of the host-name, then you are redirecting after successful login to a different variation of the host-name, and the session cookie parameters are not set to match all variations of the host-name. So, the session cookie doesn’t match that of the page being redirected to, and you are redirected back to the login page, this time using the variation of the host-name that will cause the second session cookie to ‘work’.

The access log should show if this is occurring.

The solution in this case involves two things -

1. Be consistent in the variations of host-name you use in links and redirects. You should in fact have a redirect on the web server to force all requests to a single variation of the host-name.
2. The session cookie parameters need to be set up to match all variations of the host-name.

Hello,
Thank you so much for your reply.
No, same URL.
Is this related to the web server settings or the application itself?

Except for very overt problems in programming, there are multiple possible causes for any symptom. You must find what is causing a problem in order to fix it. What I posted was one common reason why an operation using (session) cookies requires two attempts for it to work.

All we know from your description is that you have a condition that doesn’t exist at the time of the first attempt that changes and is present for the second attempt. There could be a dozen different things that could cause this. It will take investigating what the code and data are actually doing in order to narrow down the problem to just a few things that can be investigated in greater detail to find the actual cause.

@hack3rcon I suggest taking another look at what @James_Hibbard is telling you as that is the most likely cause.

Hello,
Thank you so much for your reply.
Can you guide me further?
The network tab shows me the following information:

Network753×463 54.8 KB

Please take a look at the following problem:

Network-2739×183 32.7 KB

Is this a bug from the developer side? The PHP-FPM is running on port 9000 on the server.

Thanks for the follow-up. Bringing everything together, here’s how I understand the situation:

• User logs in → page refreshes → user must log in again.
• /login returns 200, so credentials are accepted.
• Session/token is not stored or reused.

There are a bunch of possible causes for this. For example, the form reloads the page (no preventDefault()), the token/cookie is not saved by frontend, Auth header or cookie missing in next requests etc.

The screenshot you posted shows only static resources being loaded, not the actual login request or response headers.

The second screenshot shows assets being blocked, I would guess by an ad blocker. This is unrelated to the login problem.

So first let’s check if the event handler is wired up correctly.

As the page is refreshing when you click the login button, this might indicate that your JavaScript isn’t intercepting the form submission. You need to make sure your login handler calls event.preventDefault().

Try something like this:

const handleLogin = (e) => {
  e.preventDefault();
  console.log('Inside the login handler');
  // Your login logic here
};

And in your JSX you should have something like:

<form onSubmit={handleLogin}>
  ...
</form>

If you don’t see “Inside the login handler” logged to the browser console when you submit the form, then the handler isn’t wired up properly.

Let us know what you find.

Hello,
Thanks again.
I am responsible for setting up the infrastructure and I will show your solutions to the developer. I just want to know if this problem could be related to the server configuration like Nginx?

No worries. Based on what you’ve posted here, this issue is not related to the server or Nginx configuration. The login request returns 200, and there are no errors in the server log indicating misconfiguration.