Laravel: share session data over multiple domains
Solution 1
- Capture the session id
Session::getId()
in Domain A - send the captured session id via HTTP POST to Domain B
- Access the sent session id in domain B
$sessionid_from_domainA = $_POST['session_from_A']
- Set session in domain B
Session::setId($sessionid_from_domainA)
- Start Session in domain B
Session::start()
Solution 2
If you want to share the session between multiple subdomains in that case you have to set the domain name config/session.php has set the domain name.
Example: if you have new.example.com and test.example.com so you have to set the domain name as example.com
'domain' => env('SESSION_DOMAIN_URL','.example.com')
Solutions there worked for me, specifically setting the domain and then clearing my browser cookies & cache.
Solution 3
On domain A create an image like so
<img src="https://DOMAINB.com/setcookie?id={{ Session::getId() }}" style="display:none;" />
On Domain B create a Route like so:
.
Route::get('setcookie', function(){
Session::setId($_GET['id']);
Session::start();
return 'Cookie created';
});`
- Done, Now you should be able to get your user by
$user = Auth::User;
Solution 4
I know this is not exactly what was asked for, but, for development and testing purposes, I did this:
In config/session.php, try changing this line
'path' => '/',
Into this
'path' => '/;SameSite=None; secure',
allowed me to authenticate from different domains.
Now, you should be able to write a simple middleware to prevent unwanted hosts. Something like this.
namespace App\Http\Middleware;
use Illuminate\Http\Request;
use Closure;
class TrustedHosts{
public function handle($request, Closure $next){
//$host = $request->getHost();
$host = $request->headers->get('origin');
$enviroment = env('APP_ENV');
if ( $enviroment == 'development' ) {
$trustedHosts = array('localhost', 'dev.mydomain.com');
}
else {
$trustedHosts = array('anotherdomain.com', 'mydomain.com');
}
$isHostTrusted = in_array($host, $trustedHosts);
if ( !$isHostTrusted ) return response("I'm a teapot", 418); //Or any other code and message that you prefer.
return $next($request);
}
}
And group it in the middleware group that includes the session stuff.
Solution 5
I am working on something like that too a single sign-on system, still working to find a solution, but here is a start http://laravel.io/forum/03-14-2014-multiple-domains-how-to-share-login
On laravel you can change the /app/config/session.php driver to cookie
Edit:
This is what I have done.
You can share cookie accross domains using pixel images. For example when you login on domain1.com you want to create a cookie on domain2.com, right after login on domain1.com you need to have something like this
<img src="http://www.domain2.com/create-cookie?param=hash">
on domain2.com the route above:
- will check first if a user is logged in
- if its not logged in will read the hash (for example email address), check if there is a user with that email, and login it there, also set a cookie
Luuk Van Dongen
Updated on July 09, 2022Comments
-
Luuk Van Dongen almost 2 years
I'm building a multi-domain/multi-store ecommerce application in Laravel and would like to keep the user logged in when he or she changes from store to store.
But for as far as I know Laravel's Auth service saves the logged in user in the session and the sessions can't be accessed by other domains.
Is there a way (maybe a package) to achieve this, without leaving my application prone to possible security problems?
Thanks in advance!
-
Omer Farooq almost 8 yearsI wish it was possible but its not. If its the same laravel installation but with different domains, Once you login to your app from Domain A, you cant send a POST request to itself and start a session.
-
mateos over 7 yearsWARNING: Do not send the email over in plain text, This means I could edit the html tag and basically log into any account on the other domain. Encrypt the text using your App Key.
-
mateos over 7 yearsI found an easier way to do this, check my answer
-
mateos over 6 yearsFor anyone using this, I'm not certain to whether this method is secure, it was how google used to do it, however now they use OAuth
-
bksi over 5 yearsFor simple things that can be stored in a session, this is life saver
-
Harry Potts about 5 yearsI used this method, the only small change I made was to pass the encrypted session id, instead of the plain id. Like this:
Session::setId(Crypt::decrypt($_GET['id']));
Also, I ran into an issue on IE9 and below. They require the P3P header to be set in order to have the cookie be set correctly for the other domain. So I added this line below the Session::start():header('P3P: CP="This is not a policy"');
You can read more about P3P headers in this post. -
DAVID AJAYI about 4 yearsBetter still just create a .env variable like (SESSION_DOMAIN=.example.com). Works for me with on same laravel project.
-
DAVID AJAYI about 4 yearsTested and NOT working. @Chirag answer works though
-
Luke Galea over 3 yearsCan cookie be issued to specific subdomains only? Such as new.example.com and test.example.com only? and not for other subdomains? To access the session from another Laravel project, do I have to implement the User model again? Should I change my driver to Cookie instead of file?
-
mujaffars over 2 years@HarryPotts Does session need to be stored in database for this to work?
-
SaidbakR over 2 yearsI have a little problem with this approach. I use multiple dynamic dns domains. i.e domain1.freemyip.com, domain2.freemyip.com etc