Hi:
In my backoffice pages, there's some Streamed responses
return response()->stream(function () {
I've checked this requests sends again the cookies of the session (the one defined in config.session.config), and the xsrf-token again ... but with a glitch: changing the domain !!
Instead of using the domain defined in config.session.domain, it use the one of the request itself.
My problem is that the config.session.domain I have is .mydomain.com (since I use it for that domain and all subdomains), but my backoffice is in backoffice.mydomain.com.
When some StreamResponse is used, it created, as I said, the cookies for backoffice.mydomain.com
Therefore I have four cookies:
- session one for .mydomain.com
- xsrf-token for .mydomain.com
- session one for .backoffice.mydomain.com
- xsrf-token for .backoffice.mydomain.com
And that generates a problem for login actions ... sometimes, users complaints that they can not login properly (the login page goes to login page without log-in successfully), and it's working again, when I request them to delete the cookie session for .backoffice.mydomain.com
So, it's like having two cookie sessions with domain.com and sub.domain.com causes problems.
So:
- How can I fix this ?
- Why StreamResponse is sending cookies with the request domain and not with the session cookie domain ?
- How can I prevent this in a MiddleWare ?
I tried this but it's not working
if ($response instanceof \Symfony\Component\HttpFoundation\StreamedResponse) {
\Config::set('session.driver', 'array');
\Config::set('cookie.driver', 'array');
}
Thank you !
