I have a laravel app setup on a server accepting wildcard DNS calls. It is running fine, except that a user has to log in on every single subdomain.
So, something like....
business.example.com , news.example.com , and example.com will require separate logins while I would like to use the example.com cookies and propagate through the subdomains.
In other words, if a user access subdomain.example.com they should be logged in example.com so that it can be used for other subdomains.
So far, I haven't come across any going pointers in the right direction.
Tweak the config('session.domain') value to be .example.com.
Be sure to clear your cookies after doing so - it won't work if there are old per-subdomain session cookies still hanging around.
Related
I have a problem with SESSION_DOMAIN in the file session.php, Laravel always adds a "." in front of my value so my cookies also apply to sub-domains. How can I avoid that?
I have the domain example.com, when I look in Chrome's Networks tab I see ".example.com" so my subdomain "dev.example.com" got two xsrf cookie: the one from the main domain and the second from the subdomain.
I would like to avoid that and have a cookie for the active domain only. Looks like in previous versions of Laravel the problem was the opposite, the "." wasn't there.
Thanks a lot
When you want to be the cookie valid only for current subdomain keep SESSION_DOMAIN as null.
When you want to persist logins (and other session stuff) across subdomains, set SESSION_DOMAIN to toplevel part of your domain.
But keep in mind this issue https://stackoverflow.com/a/64261391/819364
I am trying to set up my herokupapp with my custom domain name from Godaddy. I hav gone through the process of getting it wokring using a cname through cloudflare.
Everything is working. However, when I go to my site at example.com my browser changes the url to example.herokuapp.com.
Going to: http://www.example.com/ and www.example.com do work
I don't want this obviously, what am I doing wrong?
Don't use an A record for your root domain. Heroku doesn't provide static IP addresses, so whatever value you put there won't be valid for long.
Since you're using CloudFlare you should be able to set up a CNAME for your apex domain just like you did for your www subdomain. CloudFlare has a feature called CNAME flattening that should make a CNAME on your root domain work as expected.
Regarding your comment that the www subdomain started working, that's typical of DNS changes. They take time to propagate. Give it some time.
I access my website as example.com and login now i am logged in.
now if i access my website as www.example.com it show the same content ,same page evrthing same except it don't recognize the previous login session and so it show the content as a Guest user not a logged in user.
Why adding www.example.com do not recognize the session initiated in example.com ?
Have a read of this page to get a understanding on why use www and not http://www.yes-
www.org/why-use-www/. Go about half way and it will explain all cookie fun.
Using www stored cookies differently then not using it, one focuses on sharing the cookie across whole domain, where as other method only allows the cookie within the immediate subdomain.
Hope that helps clarify.
I'm building a Sinatra app which needs to use a session variable for one very specific thing. The session variable is set when the user is looking at an SSL enabled page.
I'm using Heroku's piggyback SSL, so the SSL url is something like https://myapp.heroku.com
However, the app itself is hosted at my url, myapp.com
Is there a way to make my session variable, which is set while on the ssl / heroku domain name, available to my app while while on my domain name?
Unfortunately no, since the cookie is tied to the domain. What you'll have to do is either allow authenticated users to use the https://foo.heroku.com domain, and reserve your nice domain for the landing page & other unauthenticated pages.
That, or pay $20 for heroku's SSL add-on.
(I ran into this exact problem in http://appkickstand.com and I chose to just deal with the heroku url for logged in users)
You should look for cross-domain cookies manuals, check this.
But i don't see many reason in setting cookie through secured channel and transmitting it later via raw HTTP, where everyone could sniff it.
I have two MVC3 sites, both hosted on the same server that I've configured to use the same authentication cookies.
The first site is an intranet site using Windows authentication. This site has one simple Action that checks to see if the user was authenticated, if the user has been, it creates a FormsAuthentication cookie that it adds to the response. This cookie is created for a generic user that I determine from the User's AD groups. The response then redirects the user to a second site that uses Forms Authentication.
When I run this on my local machine, everything works as described above. When I deploy this to our local web server, it doesn't. I've tested to see if the user's group is correctly determined and that it creates a valid user for the cookie, and I have verified that this is correct on the web server.
Here is how I'm doing all of the above:
First, I made both sites use the same same Machine Key for encryption and decryption.
When I create the cookie in Site1, I ensure that it has the same name and Domain as the cookies created on Site2.
var cookie = FormsAuthentication.GetAuthCookie(userName, false);
cookie.Domain = FormsAuthentication.CookieDomain; //This is the Domain of my 2nd site as they are different
HttpContext.Response.Cookies.Add(cookie); //Add my cookie to the response
HttpContext.Response.RedirectPermanent(urlForSite2);
Again, when I run this on my local machine it works without a problem. But when deployed, it's either not passing the cookie in the request, or the response is ignoring it, but I'm not sure how to verify either of these cases.
Feel free to ask any question regarding more details as to how I'm doing this if it will help in getting an answer I need.
Cross domain cookies are not allowed. If you have two separate domains; one cannot access the others cookies. Two separate virtual directories/applications will work when using the same machine key. http://blogs.technet.com/b/sandy9182/archive/2007/05/07/sharing-forms-cookie-between-asp-net-web-application.aspx
If you want to share login cookies between sub-domains you need to edit the Domain property of the login cookie to the 2nd level domain "abc.com" so that "www.abc.com" and "ww2.abc.com" will have access to the cookie. http://forums.asp.net/t/1533660.aspx
String usrName = User.Identity.Name.ToString();
HttpCookie authCookie = Security.FormsAuthentication.GetAuthCookie(usrName, false);
authCookie.Domain = "abc.com";
Response.AppendCookie(authCookie);
Actually, it is possible, but isn't as simple as the domain/sub-domain cookie sharing.
http://www.codeproject.com/KB/aspnet/CrossDomainSSOModel.aspx
While the example given in this article didn't apply directly to what I was doing, I could use some of the ideas expressed there to get what I needed working. It ended up being my configuration settings in site2 web.config.
My URLs are as follows
Site1 = http://site.stage
Site2 = http://site.stage.MyCompanyName.com
Site 1 requires a host entry addressing it to a specific IP address of the hosting machine. It's also an entry in my IE Security settings - Local Intranet Sites.
I should note that these applications are both virtual directories running under the same default website.
I thought I had solved my problem but setting the Domain in the config file to and empty string, but this didn't work. I'm not sure what can be done now. This still works when I run it on my local machine, but not when I run it on my server. The only difference is the urls.
My dev machine is using the urls
Site 1: http://localhost/CompanyName.TVAP.IntranetSite
Site 2: http://localhost/TVAPDev/
I hope this adds some clarification. This Answer should really be posted as an edit to my question, but when I originally posted it, I thought I had it working.
UPDATE: I think my answer is in my URLs above. My dev machine URLS both are using the same domain name, which in this case is localhost. I think if I alter my deployed websites to use the same domain, I will be OK. I'll post an update when I get it worked out.