CODEWITHSUNDEEP
node.jssails.jspassport.js
user7756579
user7756579

Reputation: 93

Passport authentication in Sails is not working across subdomains when using vhost

I have a Sails application and the authentication using passport works just fine when it is a single domain app (steps as in Passport Doc). I am now trying to convert the app to using subdomains (foo.example.com, bar.example.com), all of which points to the same sails server. The session works only for the same sub-domain, for example, if the user is logging in from foo.example.com, then the user is able to access pages under the same sub domain...but not under bar.example.com. req.isAuthenticated() is returning false when redirecting to a subdomain different from the one that was authenticated.

How can I ensure the authentication is across the sub-domains? Any help is much appreciated.

I am using [email protected]/[email protected].

Upvotes: 1

Views: 729

Answers (1)

Glen
Glen

Reputation: 1178

Out of the box, Sails uses express-session for session middleware, allowing apps to support all the same functionality available within the express-session package.

To facilitate sharing the same session across multiple subdomains (foo.example.com, bar.example.com), two options need to be configured in the config/session.js file of your Sails app.

session: {
  cookie: {
    domain : '.example.com',
    sameSite : false
  }
}
  1. cookie.domain : This specifies the value for the Domain Set-Cookie attribute. By default, no domain is set, and most clients will consider the cookie to apply to only the current domain.
  2. cookie.sameSite : Specifies the boolean or string to be the value for the SameSite Set-Cookie attribute.
    • true will set the SameSite attribute to Strict for strict same site enforcement.
    • false will not set the SameSite attribute.

It is worth noting that cookie.sameSite is an attribute that has not yet been fully standardized, and may change in the future. This also means many clients may ignore this attribute until they understand it.

It is most likely for this reason it is not included in the Sails documentation here. A more complete list of available options for express-session can be found here.

Another way to manage sessions across multiple subdomains can be found in this stackoverflow question.

Upvotes: 2

Related Questions