Laravel session - don't want to share domain and sub domain session

Question

I've 1 domain and created 1 sub domain from main domian says www.example.com and dev.example.com. www.example.com is production domain and dev.example.com is development environment.

I've then clone 2 projects from a same repo but put them in different folder. In www.example.com folder .env file, i've set the domain session to example.com. It means in browser when i access from www.example.com or example.com it will be able to share the domain. In dev.example.com, the session_domain i've set is dev.example.com.

Now the problem i've faced is, when i visit www.example.com it will generates a laravel_session domain name of .example.com. with the dot infront it seems like it can be share to sub domain. When i visit to dev.example.com and login with facebook, it seems like it will looks for the .example.com domain session instead of the session created in dev.example.com.

if i delete the laravel_session in www.example.com im able to login with facebook in my dev.example.com or i clear all the cookies/sessions and i'm also able to login with facebook in my dev.example.com.

What i need to do to not make it share the session in sub domian ? And if i put not to share, can the domain be shared when user key in example.com and www.example.com in their browser?

And when it hit invalidstateException when login with facebook, it can be solved by clear all cookie/session. But i think it's not right to ask user to clear cookie browser by themselves. Is there any solution for this?

Answer 1

You just need to use a differently named session cookie in dev.example.com.

if ( $_SERVER['HTTP_HOST'] === 'dev.example.com' )
{
    //The default session name is PHPSESSID,
    //so if we use a different one, they don't collide.
    session_name('DEVSESSIONID');
}
session_start();