I haven't quite put my finger on the actual order of operations here, but a constant Laravel papercut for me is CSRF tokens on the login page. Session expires. User ends up back at the login page, with an expired token. Login fails. I need to find a way to pay attention to what's actually going on.