Setting SESSION_DOMAIN breaks logging in

I'm trying to share session cookies between subdomains so that once a user is logged in in one of them they are also logged in in all the others.

Initially it seemed to be pretty straightforward:

make sure to use database for session storage
use the same session cookie name
use the same APP_KEY
set the SESSION_DOMAIN

It didn't work because Chrome didn't store any cookies, complaining that

This attempt to set a cookie via Set-Cookie header was blocked because its domain attribute was invalid with regards to the current host URL

I tried to find a solution but I couldn't. Some suggested my domain was on the public suffix list (or something like that) which caused Chrome to reject the cookie, but I'm using Herd and my apps are therefore all .test.

To make things easier for people reading this, you can replicate the issue with the following steps:

create a brand new Laravel app with laravel new example and choose to add Breeze
add a new user
- php artisan tinker
- User::factory()->create(['email' => '[email protected]']);
go to http://example.test/login and enter the following credentials
- Email: [email protected]
- Password: password
click on Login and will be logged-in and redirected to the Dashboard.

Now, to test the issue I'm having:

logout from the site (if you were still logged in)
edit .env and change SESSION_DOMAIN=null to SESSION_DOMAIN=".test"
go to http://example.test/login and enter the following credentials
- Email: [email protected]
- Password: password
click on Login

You will not be redirected to the dashboard. Instead you will still be on the login page.

If you inspect the actual request, both Chrome (129.0.6668.100) and Firefox (131.0.2) have rejected the cookies because of the invalid domain.

I know this may not be a Laravel issue, but I am looking for a solution I can implement in Laravel, hence why I have posted this here.

LaryAI

1 year ago

Level 58

The issue you're encountering is related to how browsers handle cookies with domain attributes. When you set SESSION_DOMAIN to .test, it implies that the cookie should be valid for all subdomains of .test. However, .test is a top-level domain (TLD) used for testing purposes, and browsers may not allow setting cookies for TLDs directly due to security reasons.

To resolve this issue, you can try the following steps:

Use a Specific Subdomain: Instead of using .test, specify a more precise domain that includes a subdomain. For example, if your application is running on example.test, set SESSION_DOMAIN to .example.test. This will allow cookies to be shared across subdomains like app.example.test or api.example.test.
Update Your .env File: Modify your .env file to reflect the specific subdomain:
```
SESSION_DOMAIN=.example.test
```
Clear Configuration Cache: After making changes to your .env file, clear the configuration cache to ensure Laravel picks up the new settings:
```
php artisan config:cache
```
Check Your Cookie Settings: Ensure that your config/session.php file has the correct settings for cookies. Specifically, check the domain and secure options:
```
'domain' => env('SESSION_DOMAIN', null),
'secure' => env('SESSION_SECURE_COOKIE', false),
```
Use a Local Development Environment: If you're using a local development environment like Laravel Valet or Homestead, ensure that your local DNS is set up correctly to handle subdomains.

By specifying a more precise domain, you should be able to share session cookies across subdomains without encountering the invalid domain error. If you continue to experience issues, double-check your local DNS setup and ensure that your browser's cookie settings are not overly restrictive.

troccoli

1 year ago

Best Answer

Level 6

Answering my own question, in case someone else will come here to find a solution.

The AI answer pointed me to the right direction. I wrongly assumed that the .test domain automatically assigned by Herd would be fine. It is not. However, changing the domain using herd tld command is no longer officially supported and may lead to unexpected behavior.

You can instead create a link for your apps and thus specify a new domain, for example herd link app.example.test. This way you can change SESSION_DOMAIN to ".example.test" and that will work.

Snapey

1 year ago

Level 122

sounds like Lary deserves best answer ! Not that he cares.

Please or to participate in this conversation.