I have a problem with SESSION_DOMAIN in the file session.php, Laravel always adds a "." in front of my value so my cookies also apply to sub-domains. How can I avoid that?
I have the domain example.com, when I look in Chrome's Networks tab I see ".example.com" so my subdomain "dev.example.com" got two xsrf cookie: the one from the main domain and the second from the subdomain.
I would like to avoid that and have a cookie for the active domain only. Looks like in previous versions of Laravel the problem was the opposite, the "." wasn't there.
Thanks a lot
When you want to be the cookie valid only for current subdomain keep SESSION_DOMAIN as null.
When you want to persist logins (and other session stuff) across subdomains, set SESSION_DOMAIN to toplevel part of your domain.
But keep in mind this issue https://stackoverflow.com/a/64261391/819364
Related
I am currently trying to host a website as an experiment on Heroku, I deployed the back end which you can consider yyyy.herokuapp.com and the front end with you can consider xxxx.herokuapp.com,
Now, here's the issue, I need to set cookies between xxxx and yyyy, I know this will be a massive security issue but since this is an experimental website I am not willing to get a custom domain, I tried to set the cookies' domain to: herokuapp.com, .herokuapp.com, *.herokuapp.com, xxxx.herokuapp.com, yyyy.herokuapp.com.
Yet it doesn't work, chrome denies the cookies and gives this message:
This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host url.
So, how do I approach this issue without the need for a custom domain?
this is my configuration to set cookies (on the back end which uses flask)
response.set_cookie("example_cookie", value="cookie value",
max_age=900, expires=datetime.datetime.utcnow() +
datetime.timedelta(seconds=900), secure=True, domain=".herokuapp.com",
samesite='none')
If herokuapp.com were not a public suffix (a.k.a. an effective top-level domain or eTLD), then in the case of a cookie set by xxxx.herokuapp.com with Domain=herokuapp.com, browsers would send that cookie to yyyy.herokuapp.com
However, there is a snag: in order to isolate its different tenants, Heroku required herokuapp.com be added to the public-suffix list a while back. Most browsers refuse to set a cookie for a public suffix:
For security reasons, many user agents are configured to reject Domain attributes that correspond to “public suffixes”. For example, some user agents will reject Domain attributes of “com” or “co.uk”.
Therefore, attempts to set a cookie with Domain=herokuapp.com will be rejected by browsers, as you've experienced.
Note: adding a leading dot in the Domain attribute of the Set-Cookie HTTP header has no effect, at least in modern browsers.
To get out of this difficulty, you could simply buy a cheap domain name (say infinityvive.com) to serve both your frontend and backend from subdomains of it. Then you'd be able to use Domain=infinityvive.com because your domain would not be a public suffix.
I am looking at swapping out the session_domain in laravel to be part of the base domain like so: '.example.com'.
This is so we can persist sessions across all subdomains of the base domain as by default cookies are only persisted on the current domain
I have tested this locally which works fine, but it seems to cause issues with active sessions as the old cookie is still preserved in the users browser with the old domain. This seems to cause issues when trying to authenticate as there are now multiple session cookies (One with the old, and one with the new cookie domain path). I have to manually clear the cookies for this to work which i obviously don't expect my users to do.
I'm not keen on the idea of middleware to expire/unset these browser cookies as it just seems inefficient to run this on every request.
What would be the best way for me to clear existing browser sessions in Laravel so that when i swap the session_domain, it does not cause issues with existing user sessions?
You need to change the APP_NAME for each subdomain
Because it replaces the session,cookie with the same name on same browser with different tabs. In short if you login to one domain, it will replace the previous domain cookie. So you need to make it different for each subdomain.
If you are having multiple .env on each domain then change it explicitly if you are using one env file for different domains you need to dynamically change it. That way your cookie won't be replaced.
If you look at inside config/session.php
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
This is where your cookie name is generated if you see that in browser Application tab inside Cookies section.
In your case, it will be laravel_session cookie name
I have a laravel app setup on a server accepting wildcard DNS calls. It is running fine, except that a user has to log in on every single subdomain.
So, something like....
business.example.com , news.example.com , and example.com will require separate logins while I would like to use the example.com cookies and propagate through the subdomains.
In other words, if a user access subdomain.example.com they should be logged in example.com so that it can be used for other subdomains.
So far, I haven't come across any going pointers in the right direction.
Tweak the config('session.domain') value to be .example.com.
Be sure to clear your cookies after doing so - it won't work if there are old per-subdomain session cookies still hanging around.
I am new to Laravel. I have created a domain and subdomain with a specific domain group.
domain.com
admin.domain.com
On my domain.com a user can login. And in the subdomain admin.domain.com an admin can login. The problem Im having is when a user is logged in the root domain the admin subdomain is also logged in. I want the root domain and subdomain to be of different sessions. Please help!
This problem is not on framework, I got this problem when I worked with Yii 2.0 too, the issue because sessions general from application key, the solution is make key different between root and subdomain.
The solution here is you have to general another Laravel Application key on your subdomain follow the document:
php artisan key:generate
Application key [Idgz1PE3zO9iNc0E3oeH3CHDPX9MzZe3] set successfully.
2 keys in root and subdomain have to different.
Hope this help.
Laravel by default uses a single cookie to keep session data and manage its authentication system, thats why your user keeps logged across your subdomains, because your cookie is still there.
In this case I think you have 2 options:
1st: Create a different auth system using middlewares for each subdomain group to manage sessions (lets say you create/read a different cookie for each subdomain, but this could be a little bit tricky if the same user want to use the app across different subdomains at the "same time").
2nd: Use a different session driver (lets say database e.g.)
I have a website www.abc.com and i have a user for whom the url is name.abc.com.
Then what is the procedure to use the same session for both the urls
To create a domain wide cookie you have to set it's domain to ".example.tld" or in your case ".abc.com". In PHP you can do this e.g. with:
ini_set('session.cookie_domain', '.abc.com');
Cookie based sessions should then be available across all subdomains.
Best wishes,
Fabian
I don't think there is a single best approach. You might want to read this SO post:
What’s your favorite cross domain cookie sharing approach?
And Googled results
In order for cookies to be shared between subdomains, the cookie domain must be .abc.com. Setting the cookie domain varies between different programming languages/frameworks.