1

I have a Sails application and the authentication using passport works just fine when it is a single domain app (steps as in Passport Doc). I am now trying to convert the app to using subdomains (foo.example.com, bar.example.com), all of which points to the same sails server. The session works only for the same sub-domain, for example, if the user is logging in from foo.example.com, then the user is able to access pages under the same sub domain...but not under bar.example.com. req.isAuthenticated() is returning false when redirecting to a subdomain different from the one that was authenticated.

How can I ensure the authentication is across the sub-domains? Any help is much appreciated.

I am using Sails@1.1.0/passport@0.4.0.

user7756579
  • 93
  • 5
  • Have you tried editing the config/session.js? in there you can set the domain, by doing something like this `cookie : { domain: '.example.com' }` it should work for all `.example.com` sub-domains. – Glen Feb 21 '19 at 14:31
  • It wasn't enabled, but the issue still exists even after enabling. Now my session.js looks like this: `module.exports.session = { secret: '2fd9e2415dr3e947eb3f649g6b7hd968', cookie : {domain: ".example.com"} };` – user7756579 Feb 21 '19 at 17:39
  • Well there is a few more things you can try. Along with cookie.domain you can try: `cookie : {domain: ".example.com", sameSite : false}`. In a similar setup I created a custom middleware in config.http returning something like this:`function(req, res, next) { res.header('Access-Control-Allow-Credentials', true); res.header('Access-Control-Allow-Origin', req.headers.origin); res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE'); res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept'); next(); }` – Glen Feb 22 '19 at 17:22
  • Sails uses express session so rather than limiting your Googling to sails, try searching for an express solution. But I reckon the above is enough to get you over the line :) – Glen Feb 22 '19 at 17:23
  • @Glen, setting sameSite to false worked. Thanks a lot for the help. If you could answer the question, I will accept as correct answer. – user7756579 Feb 24 '19 at 17:33

1 Answers1

2

Out of the box, Sails uses express-session for session middleware, allowing apps to support all the same functionality available within the express-session package.

To facilitate sharing the same session across multiple subdomains (foo.example.com, bar.example.com), two options need to be configured in the config/session.js file of your Sails app.

session: {
  cookie: {
    domain : '.example.com',
    sameSite : false
  }
}
  1. cookie.domain : This specifies the value for the Domain Set-Cookie attribute. By default, no domain is set, and most clients will consider the cookie to apply to only the current domain.
  2. cookie.sameSite : Specifies the boolean or string to be the value for the SameSite Set-Cookie attribute.
    • true will set the SameSite attribute to Strict for strict same site enforcement.
    • false will not set the SameSite attribute.

It is worth noting that cookie.sameSite is an attribute that has not yet been fully standardized, and may change in the future. This also means many clients may ignore this attribute until they understand it.

It is most likely for this reason it is not included in the Sails documentation here. A more complete list of available options for express-session can be found here.

Another way to manage sessions across multiple subdomains can be found in this stackoverflow question.

Glen
  • 1,178
  • 10
  • 19