Session only for specific (sub)domains

It's better to assign 1 subdomain for each application you have instead of combining multiple subdomains on one app.

I understand, but in this case we needed to separate the application. For example we have office.website.com where the company employees work with. For the end users we have some additional subdomains like proposals.website.com, service.website.com, tools.websites.com etc.

All these subdomains use the same database and code as the main application and it isn't practical to create separate logins for all these subdomains. The main problem is is that we have another application (invoices.website.com) which is a separate application with it's own login. This interferes with the sessions from office.website.com.

Sorry for kicking this old thread, but I'm still struggling with this issue. Anyone else having this problem? My clients are really getting annoyed that they need to login several times a day because the session of the first application overwrites the session of the seconds application.

The first application has a wildcard session domain of .website.com and the second application has a session domain of app3.website.com. Unfortunately the 'root' session overwrites the subdomain session cookie.

One thing you can try is using a different SESSION_COOKIE value for each app.

In app A add this to its .env file:

SESSION_COOKIE=my_app_a

And in app B's .env file

SESSION_COOKIE=my_app_b

This way session cookie will be named differently per app and won't conflict with each other.

If you prefer, for whatever reason, not add this variable to your .env file, you can manually set each app's cookie name in their ./config/session.php file. Search for the 'cookie' key and replace with a custom cookie name.

I'm already using different cookies names per app. After digging some more in the debugbar of Chrome I noticed that the remember_web_xxx cookies are named the same for both applications. I'm guessing this could cause problems because the second application reads the wrong cookie and can't determine if the user is logged in.

Would it be possible to change the name of the remember me cookie? Something like remember_app1_xxx and remember_app2_xxx ?

It is hardcoded in the SessionGuard class:

https://github.com/laravel/framework/blob/7.x/src/Illuminate/Auth/SessionGuard.php#L728-L736

The $this->name used to generate the string is the guard name, that is the web in your cookie names.

But does it work without the remember feature?

If so, a quick fix would be renaming the web guard for each app in each app's ./config/auth.php

You would change the 'web' key on the 'guards' element to something else, for example: 'appA' and change the 'guard' key inside the 'defauit' element to the same key, for example:

'defaults' => [
    'guard' => 'appA', // change here
    'passwords' => 'users',
],


'guards' => [
    'appA' => [ // change here
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'token',
        'provider' => 'users',
        'hash' => false,
    ],
],

The downside of doing this is if you are using multiple guards in your app you will have to change every instance of web to appA, for example when using the auth middleware:

// $this->middleware('auth:web');
$this->middleware('auth:appA');

Another thing you can try is extending the SessionGuard to override its getRecallerName method to use a configurable name. See the docs for using a custom guard:

https://laravel.com/docs/6.x/authentication#adding-custom-guards

And finally one other option is to send a PR to the core to allow customizing this cookie name from a config file.

Thanks! I traced it down to the SessionGuard class and found the code responsible for setting the cookie name. This helped searching for a solution and I found this to create a custom session guard. I just wrote a custom guard and then I saw your suggestion of just changing the web key. This is a lot simpler and I think this might be the way to go.

You're welcome, glad to help =)