User authorization disappears

@Snapey I have remember=true set and there is a cookie remember_web_*, with which authorization should remain even after the expiration of the main cookie site_session, but for some reason this does not always happen. The problem started only after changing the doman cookie with site.com on .site.com (I need cookies on any subdomain, so there was need to change the storage domain)

@Snapey Yes that's exactly what I mean

@deekepMaks Is it safe to assume that all subdomains have the same app.key?

Are these subdomains running off the same instance?

@Snapey Subdomains are not related to the problem. I have domain A, it has a subdomain B.

The main site is on domain A. On subdomain B there is the socket.io application, when connected, socket.io takes all the cookies belonging to the site. I use these cookies to authorize a user in the socket.io application (I use an API request to manually decrypt cookies, search for a session and get the user ID).

The loss of authorization occurs specifically on the main site on domain A. The loss occurs at completely different moments, so I cannot track the problem. I can manually delete the main site.com cookie, but after reloading the page, the remember_web cookie logs me back into my account. However, for some reason this does not always happen. I can open the site tomorrow and I will not have authorization (the remember_web cookie is set until 2024).

This does not happen to every user. This started specifically after changing SESSION_DOMAIN.

@deekepMaks its relevant if the cookie is being encrypted by a specific subdomain. Only that subdomain will be able to decode the remember cookie.

@Snapey But I wrote: only domain A encrypts cookies. Subdomain B receives the encrypted cookie and sends it via the API to domain A, from where it then receives a response with the decrypted information.

@deekepMaks So why is it necessary to set SESSION_DOMAIN to allow subdomains?

@Snapey If the domain is site.com, then when connecting a socket.io from the ws.site.com domain, site.com website cookies will not be taken, since they do not belong to subdomains.

In order for cookies to be accessible from the ws.site.com subdomain, you must install them either on ws.site.com (not suitable) or on .site.com (so cookies will be accessible from any subdomain).