I use database sessions and user tokens.

When a user login, i send back the session_token (which I stored in the sessions table and also on the users table as user_token field). So every time a user logs in gets a new token and the session will expire after 30 min.

For every request, I make sure that the session is still active and the token belong to the user_id that is sending the request. I also record the User IP on users table when user login and validate against the request.

extjac said:

I use database sessions and user tokens.

When a user login, i send back the session_token (which I stored in the sessions table and also on the users table as user_token field). So every time a user logs in gets a new token and the session will expire after 30 min.

For every request, I make sure that the session is still active and the token belong to the user_id that is sending the request. I also record the User IP on users table when user login and validate against the request.

I don't understand how you auth user if he came from another domain?

have a look at this videos.. https://www.udemy.com/laravel-5-php-framework-agile-and-practical-php-restful-api/?dtcode=hjsZQFF39ekB#/lecture/3051110

or this https://github.com/barryvdh/laravel-cors

or this https://laracasts.com/discuss/channels/requests/laravel-5-cors-headers-with-filters

or this https://github.com/lucadegasperi/oauth2-server-laravel