Laravel, 2 projects in 2 domains same session

Question

I'm creating 2 projects in 2 diferent domains domain1.tld and domain2.tld.

The domain1.tld is the main event producer page and the domain2.tld is one of its events. I want to share the same sessions (they actually share the same database and the same apache server). I tried to change the session driver to "database" and create a session table, but nothing happens, if i'm log in domain1.tld nothing happens in domain2.tld.

I really have searched in the net but i have found nothing

Answer 1

Step 1: Set Session Driver for Shared Session Data

First, set your session driver to a database or cache that is shared across both domains. Your session driver cannot be file

Step 2: Implement Cross-Domain Session IDs

Session ids are passed around by cookies in Laravel. Since your websites are on different domains the session cookie does not transfer over. One way to solve this is to append them to the query string of all your requests like so: domain2.tld/?session_token=abcds2342

Within your code there must be some login that detects a session and then query the database/cache (your session driver) for a result. If a result is found, you set the session ID manually and start the session:

session_id('abcds2342');
session_start();

Be careful to check both the IP address and the session ID to prevent people from guessing someone elses SessionID and thus logging in as another person

Step 2A: To do this you can implement a custom middleware that overrides StartSession. This middleware should override getSession and before it checks for session_id in cookie, check if we have a token present in the Request. Sample code below:

<?php

namespace App\Http\Middleware;

use Illuminate\Session\Middleware\StartSession;
use Illuminate\Http\Request;

use App\SessionShare;

use Closure;

class StartSessionWithSharer extends StartSession
{

    /**
     * Get the session implementation from the manager.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Session\SessionInterface
     */
    public function getSession(Request $request)
    {
        $session = $this->manager->driver();

        /**
         * Check if we can find a valid session token from saved records
         */

            if($request->get('session_token') && !empty($request->get('session_token'))) {
                $sessionShare = SessionShare::valid()->whereToken($request->get('session_token'))->first();

                if($sessionShare)
                    $session_id = $sessionShare->session_id;
            }

        /**
         * Fallback to session in browser
         */

            if(!isset($session_id) || !$session_id)
                $session_id = $request->cookies->get($session->getName());

        $session->setId($session_id);

        return $session;
    }
}

Step 2B: Then create a custom service provider to override SessionServiceProvider like so:

<?php namespace App\Providers;


class CustomSessionServiceProvider extends \Illuminate\Session\SessionServiceProvider
{
    /**
     * Register the service provider.
     *
     * @return void
     */
    public function register()
    {
        $this->registerSessionManager();

        $this->registerSessionDriver();

        $this->app->singleton('App\Http\Middleware\StartSessionWithSharer');
    }
}

And then remove the old SessionServiceProvider from config/app.php and instead use above.

Step 2C: Then create your App\SessionShare model for the table to store session IDs. Also, the above code doesn't take care of checking IP address so you would have to add that in to make it secure and prevent brute force attacks

Step 2D: Oh and finally don't forget to append the get parameter for session_token for all your requests

Note that the above implementation is for a database session driver. Of course, you can do this for a cache driver too. The only thing that would change is the model implementation (step 2C) to validate the session

Answer 2

you can't do this in your way...

when you set session, a cookie set in browser for track stored session in server side.

if you want to share session between two domain you should share cookie between to site bot you can not do it (you can do it just in sub domains of ONE domain)

but there is a little hack : The easiest work-around is to pass login/credential information from website A to website B and have website B set a seperate cookie. For example, after logging into website A you could have them quickly redirected to website B with an encrypted querystring. Website B could then read the information, set its own cookie, and redirect the user back to site A.

It's messy but possible.