I have the following 4 sub-domains for my project:
www.mysite.com - public site, published pages etc.
my.mysite.com - normal users log in to this domain to create pages and other stuff
company.mysite.com - Company hasMany Employees that log in to this sub-domain to manage their pages and other stuff
admin.mysite.com - Admins of the site log in here to manage everything
--
Typically, I want to keep all 4 sub-domains separate. So a user logged in to my. should not be able to view company. unless they login their as well. I have managed to do this by creating the following middlewares:
auth:my
auth:company
auth:admin
Using the above I have different login views/routes etc. for the different types of users working correctly.
--
I needed a way to share sessions across the subdomains because when a user creates a Page on the my., they can publish it and it shows on the public www. (www.mysite.com/my-page)
What I needed is that when the User who owns the Page and is logged in to my., visits their own page on the www. sub-domain, an Edit button to show.
I managed to do this by sharing sessions across my subdomains by making the following change:
config/session.php
domain => env('SESSION_DOMAIN', '.mysite.com')
--
However, this messes up the logins for company. and admin., because when a User logs in to my., the session is shared across the sub-domains.
How do I share the sessions across the sub-domains but group them so something like:
domain => [
['www.mysite.com', 'my.mysite.com'],
['www.mysite.com', 'company.mysite.com'],
['www.mysite.com', 'admin.mysite.com'],
]
The sessions are shared because it's essentially the same application and you're presumably using driver = file or database.
To fix this, you can have multiple session tables per sub-domain.
Change your config/session.php file and make sure you're using database driver.
Create multiple copies of the sessions table, calling them company_sessions, admin_sessions etc.
Update your code (i.e. config/session.php file) so that the sessions table is based on the subdomain. E.g. create an if-else statement looking for the $_SERVER['HTTP_HOST'] and check it's a particular subdomain.
if ( $_SERVER['HTTP_HOST'] == 'admin.mysite.com' ) {
$config['table'] = 'admin_sessions';
}
The layout of your config/session.php may need to be changed to accomodate overriding the table and returning the correct value.
See if it works!
There are other ways you can achieve this, but this may be the simplest.
It may not work as you're trying to share sessions and don't want all sessions to be shared at the same time. You my have to compromise on the functionality and just stick with shared sessions.
Related
I use subdomain routing in my app, there are set dynamic routes and every subdomain has its own login page, in users table are restrictions for users & subdomains and the validation works without problems, every user can login in his subdomain but not in others, this is as needed.
I'm a little confused, is this by default set different session per subdomain? I want to make possible for a user with more accounts to stay logged in more subdomains at the same moment, of course with separate data...
Example:
time.example.com -> time#example.com
finance.example.com -> finance#example.com
Session configuration is in my app by default, nothing I changed nothing.
This are 2 different subdomains and 2 different accounts, I want to be sure that this are also 2 different sessions...
Try updating your config/session.php
Change from:
'domain' => null,
to (The first period is important!):
'domain' => '.example.com',
The default value will instruct the user's browser that their session cookie should only be accessible on the domain that it was created (time.example.com, etc.)
By putting a . in front of the domain name, you are instructing the browser that the cookie should be accessible on any subdomain.
Note that all of your users will be forced to log in again.
i have make a web application where only pre register user can login and use user dashboard and logout.
for example this application run on php-mysql(cpanel)
"www.example.com/system/index.php"
But i want
if their is two pre register user like 1. user1(subdomain : sys1.user1.com) 2. user2(subdomain : sys2.user2.com) pre register user with their pre register subdomain and this subdomain point to "www.example.com/system/index.php".
for both two user have different option in their dashboard some different page and also some similar option similar design same login logout page. user1 cannot access any things of user2 vice versa. under user1 and user2 their are also subuser a/c with some less option that upper user.
Okay, here is what i think you need.First session that are accessible from all the three domains.
Here is something for that
session_set_cookie_params(0, '/', '.your-domain.com');
session_start();
Now your session data would be shared across all your subdomains. Next, and i am simplifying this step because i noticed you wrote CPanel you need common session path for all subdomains. That is already done because by default session uses file to store session data. If you scale to multiple servers, make sure your session data is stored in some database server and accessible to all of the subdomains.
Now you need to differentiate between which subdomain did the user came from. For that it is simple add a flag variable in login system to both to write the subdomain in php session. Example
<?php
if (user.login($username,$password)) {
$_SESSION["authenticated"] = True;
$_SESSION["authSource"] = $_SERVER['HTTP_HOST'];
}
?>
the method user.login is only for representation and not any actual method. You can change it according to your codes.
So in conclusion the first part of the code segment will share session cookies across all subdomains of your domain. and the second part will set a flag on $_SESSION on which subdomain did the authentication occur from.
I have a website with a PHPBB 3 forum. The website's authentication mechanism is based on PHPBB. I have migrated the site to a new dedicated server where I created an ubuntu VM on HyperV. When I try logging in to the new site, multiple cookies of the same name are set. These are the auto login (k), user (u) and session ID (sid) cookies. Only 1 set of these cookies tell us that the user was authenticated. I have attached two screenshots of the response headers (one from the old host & one from the new one).
Is there a PHP setting I can toggle to prevent this? The PHP files and database are identical between the two hosts. I tried fiddling with the PHP cookie name setting in the config table, clearing caches & session tables. But nothing seems to help.
Strangely though, if I manually add the sid as query string to the web page, I am shown as being logged in.
New Site
Old Site
It looks like the cookie path is set right... Are you, or a select few, the only ones with this problem? IF so, I would first try to clear all those cookies from the browser and start over. I've solved many a cookie problem with phpBB like that. A second option is to go into the admin panel and change the cookie name. That will invalidate all login cookies and kick everyone off the board... but they should be able to log in afterward.
I am trying to create subdomains for users as each has their own "website". (user.domain.com) This is all "virtual" as all the files, controllers, folders, etc are the same. Everything is dynamically created. I think I've got all the DNS, mod_rewrite, htaccess, etc stuff down, but I've got another problem.
The problem is when a guest (non-user) visits a user's website (user.domain.com). An example to illustrate this:
Guest types url with subdomain (btw, I'm using php) and controller dynamically loads up the user website based on the subdomain.
Guest clicks on a link on the page and gets a new page from server. Problem is that the new page doesn't have the subdomain anymore as all the links are the same. Only the content is different and dynamically loaded.
So the question is, How do I keep track of which subdomain the guest is on? Since the client is a guest and not a logged in user, I can't look at the logged in user's information.
I am just interested in ideas of what the best implementation would be. Should I keep some variable in the session and keep checking that on each page? Should I pass a POST/GET variable with each link and then have the controller read that?
$_SERVER['SERVER_NAME']
This will give you the domain, just keep it in the session.
I need to implement a solution for one of my project, where I have multiple domains + multiple sub-domains and they all need to share the same session. All domains and sub-domains would be pointed to the single application which is connected to the single database.
Means if user logged in from any of the domain will be able to visit secure pages of other domains of the application. User may change domain via following a link or via opening a new tab in the browser.
I have gone through some articles and found some below mentioned solutions:-
Session in Database - What if other user from same network with same user agent hits?
iFrame message passing - I heard at somewhere, that iFrame renders on document load and, then checking session after showing some page content will annoy the user.
CURL request with CURLOPT_COOKIEFILE & CURLOPT_COOKIEJAR - I have played with this and it is working fine, but don't know if it is secure and not performance killer.
Single Sign On (SSO) - I need some R&D to implement this and it would be the last option.
Please suggest what to do?
Just to verify I am not wrong, you need to share user session across all your applications.
As rightly said above, you may use 4 of the options above. However, I would like to focus on first option which is putting session in DB and would like to suggest another option as keeping sessions in shared directory or server.
Sessions in DB - The answer to your question (What if other user from same network with same user agent hits?) is you will have different session id's value to uniquely identify each row in Table. So, no need to worry about it. But the disadvantage is, each time DB connection would be required and a query would be fired, when session is initialized i.e. for every single page.
Sessions in shared directory/server - Configure all your applications in a such a manner that all applications store session at shared location. Shared location can either be a directory or a secured server. This can easily achieved by using session_set_save_handler.