Laravel: share session data over multiple domains

session authentication laravel cross-domain

21,580

Solution 1

Capture the session id Session::getId() in Domain A
send the captured session id via HTTP POST to Domain B
Access the sent session id in domain B $sessionid_from_domainA = $_POST['session_from_A']
Set session in domain B Session::setId($sessionid_from_domainA)
Start Session in domain B Session::start()

Solution 2

If you want to share the session between multiple subdomains in that case you have to set the domain name config/session.php has set the domain name.

Example: if you have new.example.com and test.example.com so you have to set the domain name as example.com

'domain'     => env('SESSION_DOMAIN_URL','.example.com')

Solutions there worked for me, specifically setting the domain and then clearing my browser cookies & cache.

Solution 3

On domain A create an image like so <img src="https://DOMAINB.com/setcookie?id={{ Session::getId() }}" style="display:none;" />
On Domain B create a Route like so:

Route::get('setcookie', function(){
  Session::setId($_GET['id']);
  Session::start();
  return 'Cookie created';
});`

Done, Now you should be able to get your user by $user = Auth::User;

Solution 4

I know this is not exactly what was asked for, but, for development and testing purposes, I did this:

In config/session.php, try changing this line

'path' => '/',

Into this

'path' => '/;SameSite=None; secure',

allowed me to authenticate from different domains.

Now, you should be able to write a simple middleware to prevent unwanted hosts. Something like this.

namespace App\Http\Middleware;
use Illuminate\Http\Request;
use Closure;

class TrustedHosts{
    public function handle($request, Closure $next){
        //$host = $request->getHost();
        $host = $request->headers->get('origin');
        $enviroment = env('APP_ENV');

        if ( $enviroment == 'development' ) {
            $trustedHosts = array('localhost', 'dev.mydomain.com');
        }
        else {
            $trustedHosts = array('anotherdomain.com', 'mydomain.com');
        }
        
        $isHostTrusted = in_array($host, $trustedHosts);
        
        if ( !$isHostTrusted ) return response("I'm a teapot", 418); //Or any other code and message that you prefer.
        return $next($request);
    }
}

And group it in the middleware group that includes the session stuff.

Solution 5

I am working on something like that too a single sign-on system, still working to find a solution, but here is a start http://laravel.io/forum/03-14-2014-multiple-domains-how-to-share-login

On laravel you can change the /app/config/session.php driver to cookie

Edit:

This is what I have done.

You can share cookie accross domains using pixel images. For example when you login on domain1.com you want to create a cookie on domain2.com, right after login on domain1.com you need to have something like this

<img src="http://www.domain2.com/create-cookie?param=hash">

on domain2.com the route above:

will check first if a user is logged in
1. if its not logged in will read the hash (for example email address), check if there is a user with that email, and login it there, also set a cookie

View more solutions

21,580

Author by

Luuk Van Dongen

Updated on July 09, 2022

Comments

Luuk Van Dongen almost 2 years

I'm building a multi-domain/multi-store ecommerce application in Laravel and would like to keep the user logged in when he or she changes from store to store.

But for as far as I know Laravel's Auth service saves the logged in user in the session and the sessions can't be accessed by other domains.

Is there a way (maybe a package) to achieve this, without leaving my application prone to possible security problems?

Thanks in advance!
Omer Farooq almost 8 years

I wish it was possible but its not. If its the same laravel installation but with different domains, Once you login to your app from Domain A, you cant send a POST request to itself and start a session.
mateos over 7 years

WARNING: Do not send the email over in plain text, This means I could edit the html tag and basically log into any account on the other domain. Encrypt the text using your App Key.
mateos over 7 years

I found an easier way to do this, check my answer
mateos over 6 years

For anyone using this, I'm not certain to whether this method is secure, it was how google used to do it, however now they use OAuth
bksi over 5 years

For simple things that can be stored in a session, this is life saver
Harry Potts about 5 years

I used this method, the only small change I made was to pass the encrypted session id, instead of the plain id. Like this: Session::setId(Crypt::decrypt($_GET['id'])); Also, I ran into an issue on IE9 and below. They require the P3P header to be set in order to have the cookie be set correctly for the other domain. So I added this line below the Session::start(): header('P3P: CP="This is not a policy"'); You can read more about P3P headers in this post.
DAVID AJAYI about 4 years

Better still just create a .env variable like (SESSION_DOMAIN=.example.com). Works for me with on same laravel project.
DAVID AJAYI about 4 years

Tested and NOT working. @Chirag answer works though
Luke Galea over 3 years

Can cookie be issued to specific subdomains only? Such as new.example.com and test.example.com only? and not for other subdomains? To access the session from another Laravel project, do I have to implement the User model again? Should I change my driver to Cookie instead of file?
mujaffars over 2 years

@HarryPotts Does session need to be stored in database for this to work?
SaidbakR over 2 years

I have a little problem with this approach. I use multiple dynamic dns domains. i.e domain1.freemyip.com, domain2.freemyip.com etc