Two sites on the same server keeps logging users out

Are you sure these are two separate sites altogether, two completely different installations. Otherwise what you describe will happen.

See this also http://tutorialedge.net/running-multiple-laravel-5-sites-on-server

@QuckBen What session driver are you using? File, database, other?

The sites are setup in separate folders inside Laragon's www folder: site1, site2. They are then accessed by going to http://servername/site1 or /site2.

When I set them up I created a new project inside Laragon (fresh composer install for each site) and then copied the files that I needed across. I then changed the session cookie, cache prefix and application key so that everything was unique. I saw that article and am already using the suggestions in it.

@martinbean I'm using the file session driver. The files are getting created without any issues, but one weird issue I noticed was sometimes it would update the session file for both sites at the same time when I was only using the one site.

If they are set up that way the sessions should not be interfering with each other. Try to set up something in a session some variable and then try to retrieve it in the other site, you shouldn't be able to. That is if you using file session. As these are two separate folders.

What is the laragon site, I haven't used laragon.

Found it, did you set up separate virtual host for these sites?

No I haven't set up virtual hosts for either of them. The server itself was already setup like that previously and the client didn't want to change the URLs, so you access the sites by going to servername/site1/public or servername/site2/public.

I just added a site variable to the session for site1 and it showed up when outputting Session::all() for site1 but not site2 as expected.

@QuckBen I think the problem is that you have your sites in subfolders of same domain. Laravel keeps 'remember' token in cookie set for domain, so your sites override that token each time users logs in. For example:

1. user logs in at http://servername/site1. Laravel sets remember cookie for servername
2. user logs in at http://servername/site2. Since domain is the same (servername) Laravel overrides remember cookie
3. session on first site expires and Laravel tries to look up a user with remember cookie, but since it was overriden at step 2... user is not logged in back automatically.

It is clearly bug in Laravel authentication method, since remember token name is generated based on guard class but don't use application key.

In vendor/laravel/framework/src/Illuminate/Auth/Guard.php there is a function

    public function getRecallerName()
    {
        return 'remember_'.md5(get_class($this));
    }

If you'll change it to

    public function getRecallerName()
    {
        return 'remember_'.md5(get_class($this).config('app.key'));
    }

it should keep your users logged in.

I will fire issue for laravel at github

I would think renaming the cookie laravel saves to keep track of the session could fix the problem. You can do that in config/session.php, line 112:

'cookie' => 'laravel_site_1',

@Korken No, it will not fix THIS problem alone, but it should be changed as well, yes.

Frankly, it needs to be hashed with application key as well by framework itself.

But generally, Laravel is not recommended to be installed into subfolder.

@kerby whilst tagging the app_id on seems like a good idea, I'm just curious why changing cookie name wont fix the issue?

tbh I never took much notice of session.php but I also notice you can set the path, which might also be appropriate in this case:

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Path
    |--------------------------------------------------------------------------
    |
    | The session cookie path determines the path for which the cookie will
    | be regarded as available. Typically, this will be the root path of
    | your application but you are free to change this when necessary.
    |
    */

    'path' => '/',

edit: note to self - check which path that actually is

tbh I never took much notice of session.php but I also notice you can set the path, which might also be appropriate in this case:

@londoh thb, I never took much notice of session.php myself :) and yes, setting path to /site1 for http://servername/site1 and /site2 for http://servername/site2 would solve the problem.

As for your question why cookie name would not solve the initial problem: that's a name of a cookie which stores session id, but problem in cookie which stores token for remembering.

I just had a quick look (not under same case as @QuckBen ) but I dont think path would help... its app root root, not server so prob just mess things up more!

@londoh Well, it SHOULD help, actually. If first app is http://servername/site1 and path is set to /site1 and second is http://servername/site2 and path is set to /site2

If if won't help... well, still there is an my initial proposal and change of cookie variable

Thanks for your suggestions guys, I'll make those changes and see what happens. The session cookies are already unique and they're stored in folders under their respective sites.

@kerby I don't think this is the issue but I'll make the change you suggested anyway. One of the first ideas I had was that it wasn't actually random but you were simply getting logged out when one of the sessions expired, so I bumped up the session expiry time so there wouldn't be a conflict but it happens anyway. A couple of times I've only logged in to the one site and it has logged me out.

One thing I've also noticed is that when I get logged out of one site, I don't get logged out of the other which makes me think it's not actually a problem with the configuration of the sites but something in Laravel itself.

A couple of times I've only logged in to the one site and it has logged me out.

That's strange indeed. You should check if your 'remember' token is created at all. In chrome devtools http://dl1.joxi.net/drive/0007/0487/492007/151116/db7b58bd7f.jpg

Generally, try to set expiration time to, say, one minute and check behavior. If you would not say about that logging out with only one site... I would say that you should stay logged in at first site as long as you're not logged in at second site. And then, after you log in at second site and a minute passed, you should be logged out at first site, but still stay logged in at second.

Would the remember token be an issue if you're not ticking remember me?

I thought I'd fixed the issue, I hadn't changed the app name and it hadn't logged me out after I'd changed it but I just had the client say its still happening. Are there any bugs or anything in Laravel that could be doing this? I can't work out what it could be. We didn't have any issues on the test system, but I had that set up on two separate vms. The only thing I could think that it could be is an issue with the sessions, but it doesn't look like that either. This has me stumped.

@kerby Sorry I took so long getting back to you, I've been away.

So, I've ticked "remember me" and the remember me token is created. One thing I noticed, if you log in on both sites there is only one XSRF-TOKEN session file created and in the session expiry field for each session it just says "Session". The remember me and XSRF tokens each have a date for the expiry. A good example of the problem came up this morning, I hadn't used the system for a few days and I logged on and clicked a menu link, it then logged me out and redirected to the login page. In a previous thread someone mentioned that there was a bug in Laravel that did this but I couldn't find any information about it.

I've had the same problem on my server. @korken suggestion to check config/session.php helped me in this.

in Laravel 6.x you just have to change default env property

APP_NAME=LARAVEL

to your site name solved the problem.