I am looking at swapping out the session_domain in laravel to be part of the base domain like so: '.example.com'.
This is so we can persist sessions across all subdomains of the base domain as by default cookies are only persisted on the current domain
I have tested this locally which works fine, but it seems to cause issues with active sessions as the old cookie is still preserved in the users browser with the old domain. This seems to cause issues when trying to authenticate as there are now multiple session cookies (One with the old, and one with the new cookie domain path). I have to manually clear the cookies for this to work which i obviously don't expect my users to do.
I'm not keen on the idea of middleware to expire/unset these browser cookies as it just seems inefficient to run this on every request.
What would be the best way for me to clear existing browser sessions in Laravel so that when i swap the session_domain, it does not cause issues with existing user sessions?
You need to change the APP_NAME for each subdomain
Because it replaces the session,cookie with the same name on same browser with different tabs. In short if you login to one domain, it will replace the previous domain cookie. So you need to make it different for each subdomain.
If you are having multiple .env on each domain then change it explicitly if you are using one env file for different domains you need to dynamically change it. That way your cookie won't be replaced.
If you look at inside config/session.php
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
This is where your cookie name is generated if you see that in browser Application tab inside Cookies section.
In your case, it will be laravel_session cookie name
Related
Laravel 8 has an \App\Http\Middleware\EncryptCookies::class middleware that I am wondering whether it is needed in my case.
httpd port setting is done to ensure only HTTPS is allowed for my site.
Based on this question, Does SSL also encrypt cookies?, it seems HTTPS already encrypts everything including cookies.
Therefore my assumption is that there should be no need to enable EncryptCookies middleware in Laravel 8.
I am just not really sure about are the above assumptions I am making correct or not?
Yes, there are benefits to encrypting cookies. Maybe you have some data, e.g. some personal info, user id... that you wish to keep private. Even if you only have session id in the cookie you want that to be private.
Cookies can be read manually in a browser or by some javascript. That data can be used to hack sessions or just to get data that is not supposed to be seen by users.
I never encounter any problems in development or production caused by EncryptCookies middleware or even encrypted cookie itself.
If you use free and default Laravel middleware "EncryptCookies", you are ensuring that data from the cookie, including session id, is kept secure and private.
I have a problem with SESSION_DOMAIN in the file session.php, Laravel always adds a "." in front of my value so my cookies also apply to sub-domains. How can I avoid that?
I have the domain example.com, when I look in Chrome's Networks tab I see ".example.com" so my subdomain "dev.example.com" got two xsrf cookie: the one from the main domain and the second from the subdomain.
I would like to avoid that and have a cookie for the active domain only. Looks like in previous versions of Laravel the problem was the opposite, the "." wasn't there.
Thanks a lot
When you want to be the cookie valid only for current subdomain keep SESSION_DOMAIN as null.
When you want to persist logins (and other session stuff) across subdomains, set SESSION_DOMAIN to toplevel part of your domain.
But keep in mind this issue https://stackoverflow.com/a/64261391/819364
I deployed my Laravel app to shared hosting (cpanel). For paying, the user first redirects to a bank account and then redirects to my page. during this procedure, the user gets logged out!
for protecting my routes I use auth middleware and for session driver, I use the default session driver which is file. also, the permission for framework/sessions is 777.
this is the code which redirect to the bank page:
$go = "https://thebank/example";
redirect()->to($go)->send();
and after a successful payment, the bank redirects to a route that I specified for verifying the payment.
Route::get('/payment/callBack' , 'PaymentController#VerifyData')->middleware('auth');
the route utilizes the auth middleware However most of the time the user is not logged in and automatically redirects to login page. I noticed if I don't use the auth middleware and if the user refreshes the page the user logs in automatically. this is not something that usually happens with laravel. I also tried the cookie driver for session and it didn't work and caused more problems.
I also didn't gain any success in storing user_id and cart_id in the default PHP $_SESSION. all SESSIONS seems to be cleared when user redirects back from the bank page.
how can I fix the problem?
The same_site setting is changed in default Laravel installation, make sure you change same_site to null in
config/session.php or callback won't include cookies and you will be logged out when a payment is completed. So inside your config/session.php update
return [
...
...
'same_site' => null,
...
...
];
I have configuration with this. But not working.
'secure' => env('SESSION_SECURE_COOKIE', false),
'same_site' => null,
If I set this
same_site' => "none"
Then it work
Solution for laravel 8-
In config/session.php
'secure' => true,
'same_site' => 'none'
Ref https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
The new versions of the browsers might be logging you out because of the new cookie policy.
References
https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Whenever the cookie is required to be sent to server, the browser sees the SameSite attribute to decide if the cookie to be sent to server or blocked. For user actions, it is sent to the server but for auto-redirects, it doesn't if SameSite is set to 'Strict' or 'Lax' (Lax is going to be the default value now).
Solution:
The cookie attribute SameSite can be set to 'None' along with specifying the 'Secure' attribute to 'true'. Setting 'Secure' attribute to 'true' would require your site to run on https. Sites running with http:// protocol will not be able to set 'Secure' cookie.
Please set the 'HttpOnly' attribute to 'true' for making it accessible for http requests to the server only.
In PHP, it can be achieved as below
session_set_cookie_params(0, '/PATH/; SameSite=None', <COOKIE_DOMAIN>, true, true);
It is one of my very old questions that I figured out myself but forgot to share the solution. However, I see this page is still active I decided to share my solution.
My problem actually was the protocol of redirecting URL. My mistake was that I set the redirect URL of '/payment/callBack' to http. While my website was https. The sessions for https and http are different, so user logged in https can not be logged in to http. my solution was first corrects the URL callback to https version. and set the nginx config to redirect all http to https.
I solved this issue by adding an API route for callback. Inside controller you can redirect or return view.
Our Laravel 5.1 application has been using the "native" session driver setting (configured in the .env file). With it set this way, we were able to use the laravel url.intended behavior to redirect the user to the url they were attempting to access prior to being authenticated.
We had to change it to "cookie" because every time we use Amazon's Opsworks system to deploy a new build, users were logged out because their server-side session files were no longer available. Once we changed it to cookie, the users remain logged in even when we deploy a hotfix or new build.
However, with it set to cookie, the url.intended does not work at all. I tried hacking together some solution by adding a custom url intended node, but it just won't work. It seems like when the user attempts to access a url prior to being logged in, it sets the session info, but then the application redirects the user to the login page where it's getting nulled out.
I'm using Debugbar to look at the session vars and I'm going crazy. I'm already bald so I have no more hair to pull out.
Does anyone have any ideas?
We ended up setting up a Dynamo database at first and then transitioned to Redis on a common server. We have a load balancer and don't want sessions getting lost or corrupted by switching servers so all cache is now being stored in that common location.
I'm just installed a fresh L5 app. I'm attempting to use database driven sessions however a new session appears to be created on each page load.
Has anyone come across this issue and managed to resolve?
"_token" value is new on each refresh.
I'm happy that the cookies have been configured correctly.
Not sure where to look next.
Any suggestions would be a huge help.
Thanks in advance
Have you ensured your session domain is set correctly? Your session domain should be the domain alone, for example domain.com, no URIs or protocols (http://), etc.
You may also want to check that SESSION_HTTPS is set to false, unless you're accessing your site over https.
If either are not set correctly sessions will not be correctly stored by the browser, so each request results in a new session.
The _token key will always be a new value for each request, this is part of the CSRF security feature.