Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Adgower's avatar
Adgower
OP
3 years ago
Level 14

Don't share session between subdomains

I have the following example:

https://api.example.com

https://example.com

https://admin.example.com

To share the session across the domains I set in .env:

SESSION_DOMAIN=.example.com

This works fine, and the authentication stays across the subdomains, but I don't want this. I want the session to be specific to each subdomains so the user will re authenticate per subdomain. If I remove the .env setting SESSION_DOMAIN:

Request failed with status code 419: CSRF Token mismatch.

My setup is laravel breeze --api, and have modified to include BACKEND_URL:

APP_URL=http://api.example.com
FRONTEND_URL=http://example.com
BACKEND_URL=http://admin.example.com
# SESSION_DOMAIN=.example.com
SANCTUM_STATEFUL_DOMAINS=example.com,admin.example.com

Any tips? Eventually my end goal is when user registers they create their own subdomain, and can only authenticate their subdomain, but share api between all tenants.

I watched this video:

https://www.youtube.com/watch?v=RGvzbGwjRFE&t=62s

He states, "If you leave the SESSION_DOMAIN empty/null then will not persist across domains...". If I understood properly.

0 likes
1 reply
Snapey's avatar

You need api routes per subdomain or use some other API authentication approach

Please or to participate in this conversation.