All geek questions in one place

Laravel Cross Domain Cookies and Filters

I have a laravel web server that manages multiple domains, such as:

site1.domain.com, site2.domain.com, site3.domain.com

I added the site name to the user authentication process with great success, and thus had one user table with respect to the sites. There are no regular users on the sites, and they are considered unique. It works well.

For each site there is a backend, for example.

 site1.domain.com/office

For this, I have a different set of users of the Admin model. To make this work, I have a rather complicated set of auth paths, another controller and all that. I achieve this with the following filter.

 App::before(function($request) { if ($request->is('office*')) { Config::set('auth.driver', 'eloquent.admin'); Config::set('auth.model', 'Admin');

These administrators are common to all domains. That is, the username is unique in the administrator model.

It works well, but you need to move on.

I would like the login and exit to be consistent between the sites. That is, if the administrator registered in one office of the site, they logged in to them all, and logged out of them, they logged out of them.

I tried updating the filter this way:

 App::before(function($request) { if ($request->is('office*')) { Config::set('auth.driver', 'eloquent.admin'); Config::set('auth.model', 'Admin'); Config::set('session.path', '/office'); Config::set('session.domain', '.domain.com'); // tried without leading . too } });

However, if I analyze my cookies in my browser, the domain and path information has not been affected and remains as site.domain.com and / respectively.

Can you tell me how to change session cookie attributes based on my request?

There is a dependency on the site. To the extent that there are many different relationships between the administrator and the site, which determines whether the administrator can access the / office of a particular site.

I am worried that the administrator is logged in, they will get access to any site.

My intention is to write an optional filter "can admin this site" that will check the relationship.

Do you find this suitable measure in the context of the proposed cross-domain auth for admins?

+6
source share
1 answer

If you open app/config/session.php , which driver are you using? Some, such as a file, do not seem to store data through wild-card subdomains.

I solve this using Redis (if you use Homestead, it should already be available to you):

 'driver' => 'redis', 'redis' => array( 'cluster' => true, 'default' => array( 'host' => '127.0.0.1', 'port' => 6379, 'database' => 0, ), ),

This is because different drivers use the host name to refer to session data.

0
source

Source: https://habr.com/ru/post/977660/

More articles:


All Articles