Different Login between Domain and Subdomain

up.. :(

I believe the trick will be to se a different domain in your session settings for each domain used. That variable should be set to whatever domain is currently in use (so it should be a dynamic variable, rather than only having one value).

Using .maindomain.com alone will attempt to share cookies for all subdomains, but it sounds like you want a separate cookie per subdomain.

Hi,

I am also going to try similar setup. One app for front-end on main domain and Admin on sub-domain. Curious about your situation.

I was in a impression that changing the cookie name should do the trick (whole point of separating app into two). Haven't tried it myself though.

Main domain app 'session.php'

'cookie' => 'frontend_session',

Sub domain app 'session.php'

'cookie' => 'admin_session',

Let us know how you solved this problem

For one sessions with null as the domain are considered wildcard sessions meaning that they work across the entire domain and all subdomains. So this will need to be changed to admin.examplesite.com and examplesite.com (no dot in the front) this should separate the sessions. Changing the cookie name should be enough to separate the logins remember functions. So in the end your sessions files will look something like this:

'lifetime' => 120,
'expire_on_close' => false,
'driver' => env('SESSION_DRIVER',  'file'), 
'domain' => env('SESSION_DOMAIN',  'maindomain.com'), 
'cookie' => 'maindomain_session', 

and

'lifetime' => 120,
'expire_on_close' => false,
'driver' => env('SESSION_DRIVER',  'file'), 
'domain' => env('SESSION_DOMAIN',  'sub.maindomain.com'), 
'cookie' => 'subdomain_session', 

This setup as worked for me in the past. However browsers change all the time and no two browsers are alike. As such some browser can behave weirdly with these kind of things.

@tankerkiller125 : Regarding the NULL domain in sessions.php, my tests lead me conclude something different from what you said, i.e.

sessions with null as the domain are considered wildcard sessions

For me, setting it to NULL, allows me to have different sessions/cookie for different domains. I hope my understanding is correct.

For reference, Im using 5.3

My system hosts file contains the following:

test.com    127.0.0.1
sub.test.com 127.0.0.1

My config/session.php contains the following

'domain' => env('SESSION_DOMAIN', null),

'SESSION_DOMAIN' is not set in .env

This effectively means that domain = NULL in sessions.php

I set up subdomain routing groups in routes/web.php

Route::group(['domain' => 'test.com'], function () {
    Route::get('/', function () {
        return view('welcome');
    });

    Auth::routes();

    Route::get('/home', 'HomeController@index');
});

Route::group(['domain' => 'sub.test.com'], function () {
    Route::get('/', function () {
        return view('welcome');
    });

    Auth::routes();

    Route::get('/home', 'HomeController@index');
});

What happens is I can login separately on test.com and sub.test.com , i.e. the sessions/cookies are separate

I can login/logout individually and not impact each session based on domain.

This is good for my situation and want it to work like this. I want to have different front-ends for different types of users based on domain with their own logins/guards.

However, I read your comment and want to make sure I am not missing some security implication or something weird is happening in my case.

To test you can simply do the following:

1. do a laravel new test
2. add the entries in hosts file for the two domains/subdomains.
3. add the subdomain groups in routes/web.php
4. visit each domain in your browser after php artisan serve
5. login/logout in each domain

You will see what I am referring to.

Based on what I read, if one wants shared cookies/sessions, one must set the domain value to .mydomain.com with the leading dot so it serves as a wildcard.

thanks guys for the replies, @tankerkiller125 and @fideloper, i already tried your solutions and nothing happen, it seems like a bug in laravel 5.0.35. which leads me to upgrade the subdomain's laravel version to a newer one (5.1), @Laraveldeep , if you haven't solved your problem yet, try upgrading your project's laravel version, it might work for you as well.

@denpun It appears that they may have changed the way this works. I always remembered it as being a wildcard default however it appears that they now use the URL that your accessing the page from as the domain. If it works the way you want it to then to my knowledge there is no security concern.

Oh boy. I need to make the wildcard to work. And I can't. If I set the .domain.com (in my case .localhost) I get EncryptCookies exception if I try to log using some subdomain.

How to make the wildcard session work on 5.3?

Thank you!

@tankerkiller125 Thanks. Have been using it in testing for the last month. No major concerns seen.

@neeonline Hmm. Not too sure about that. Never used multiple subdomains for single app the way you want to. I will test later this evening and see if I can figure it out.

Hi ,

Any update on this..i am also facing similar issue from last week onwards.. In my case, i am having 3 different apps running on the same domain (Enabled wildcard entry) which are hosted at 3 different instances and poting with ELB in AWS sample.com (laravel v5.4) sample.com/app1(laravel v5.4) sample.com/app2(laravel v5.5)

when I am accessing sample.com and sample.com/app1 there is no issue but when i am accessing app1 and app2 with the same browser in diff tabs getting below issue

(1/1) ErrorException unserialize(): Error at offset 0 of 40 bytes

in Encrypter.php (line 138) at HandleExceptions->handleError(8, 'unserialize(): Error at offset 0 of 40 bytes', '/var/www/html/app1/vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php', 138, array('payload' => array('iv' => 'sve1uXIwnDLe+1dIlh4vgQ==', 'value' => 'Yf/IKR3NGpJYYHNBPySho9FDn8O8t3ntJ+C6GpCLnct1nJinCRuEW9Q4yVX66SIM', 'mac' => 'e8a1c3ab907a520e4d91cd134deafcc19dec907c05e20be308b2df73598ff043'), 'unserialize' => true, 'iv' => '����r0�2�WH�/�', 'decrypted' => 'fqnxIdbVW9dEdmbdvZXQSfjYjXKcCHqFhBWs8cKp')) at unserialize('fqnxIdbVW9dEdmbdvZXQSfjYjXKcCHqFhBWs8cKp') in Encrypter.php (line 138) at Encrypter->decrypt(array('iv' => 'sve1uXIwnDLe+1dIlh4vgQ==', 'value' => 'Yf/IKR3NGpJYYHNBPySho9FDn8O8t3ntJ+C6GpCLnct1nJinCRuEW9Q4yVX66SIM', 'mac' => 'e8a1c3ab907a520e4d91cd134deafcc19dec907c05e20be308b2df73598ff043')) in EncryptCookies.php (line 95) at EncryptCookies->decryptCookie('eyJpdiI6InN2ZTF1WEl3bkRMZSsxZElsaDR2Z1E9PSIsInZhbHVlIjoiWWZcL0lLUjNOR3BKWVlITkJQeVNobzlGRG44Tzh0M250SitDNkdwQ0xuY3QxbkppbkNSdUVXOVE0eVZYNjZTSU0iLCJtYWMiOiJlOGExYzNhYjkwN2E1MjBlNGQ5MWNkMTM0ZGVhZmNjMTlkZWM5MDdjMDVlMjBiZTMwOGIyZGY3MzU5OGZmMDQzIn0=') in EncryptCookies.php (line 76) at EncryptCookies->decrypt(object(Request)) in EncryptCookies.php (line 59)

Could you help on this..if anyone faced the similar issue?

Hi Guys,

I got solutions for above issue... simply you can change session path from root to respected sub-app name

config/session.php @ line num 141..

'path' => '/'

change to

'path' => '/app1/'

you can apply same changes for app2 also (in a 2nd instance).