1

I'm currently working on a laravel project that is hosted on a domain. A part of this application, some functionality, has to be on a different domain. I found a way, in my web.php, I mapped all routes with the :

Route::group(['domain' => config('app.main_domain')], function () {

and the routes that need to be on the other domain in the same manner, but with a different domain. Ok. In the main domain, I create an image with the src attribute:

<img src="{{ config('second_domain') . DIRECTORY_SEPARATOR }}auth?id={{ \Illuminate\Support\Facades\Crypt::encrypt(\Illuminate\Support\Facades\Session::getId()) }}" style="display:none;"/>

pointing to this method route :

  if ($request->has('id')) {

            $session_id = Crypt::decrypt($request->get('id'));
            Session::setId($session_id);
            Session::start();
        }

It's working. I share the same session over different domain, but, I would like to ask you guys if you know a better method for this case scenario. I know this is an old method that google used.

I have to say that the users need to remain authenticated in the different domain. I have looked at laravel passport, or laravel sanctum, but those are for API authenticating.

Any help will be apreciated.

Constantin Velea
  • 13
  • 5
  • Please look into this, all the scenarios discussed in this post https://stackoverflow.com/questions/14611545/preserving-session-variables-across-different-domains – Sahil Jul 23 '20 at 20:19
  • Thanks for your reply, but that's a very old thread, I read it, but didn't find anything that should help me.. – Constantin Velea Jul 23 '20 at 20:29
  • When user login into site, redirect user to other website page with session id/some token and other website can read the sessionid/token, verify the token/id and if valid then set the cokkie and redirect back to wherever you initially want user to go after login.Look the accepted answer here https://stackoverflow.com/questions/6761415/how-to-set-a-cookie-for-another-domain – Sahil Jul 24 '20 at 18:22
  • It's kinda bad to redirect the user to another page after they log in, and then back to the original website.. I don't know if oauth2 will help me or guzzle requests – Constantin Velea Jul 25 '20 at 11:13
  • but that what google do , it redirect for very short while and fast that you dnt even notice. you can try storing token in local storage and other website can pick that up – Sahil Jul 25 '20 at 11:47

1 Answers1

0

For logging in different domains you should describe different "guards".

Configs

For example config/auth.php

'defaults' => [
    'guard' => 'web', // or 'admin'
    'passwords' => 'users',
],

'guards' => [
    'admin' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'web' => [
        'driver' => 'session',
        'provider' => 'tourists',
    ],

    'api' => [
        'driver' => 'token',
        'provider' => 'users',
        'hash' => false,
    ],
],

I use two guards in my project:

  • First one is 'admin', it's for admin panel and I use as provider User.php model.

  • Second one is 'web', it's for frontend or public site, use Tourist.php model, but you can use User model as well.

Controllers

You can use specific guard, In LoginController for admin panel:

protected function guard()
{
    return Auth::guard('admin');
}

And for general domain of website

protected function guard()
{
    return Auth::guard('web');
}

Routes

And finally you do ask me, How can I protect my routes, pfff, simply:

Route::group(['middleware' => 'auth:web'], function () {
    Route::get('/', 'Cabinet\HomeController@index')->name('home');
});

Or for admin private routes

Route::group(['middleware' => 'auth:admin'], function () {
    Route::get('/', 'Admin\HomeController@index')->name('home');
});

Read more about authentication https://laravel.com/docs/7.x/authentication#adding-custom-guards

Mafftor
  • 83
  • 5
  • What is the purpose of different guards..? I thought my question was clear: I have an Laravel app that runs on dev.test. A part of this app, has to point to dev.test2, a different domain, when you go to dev.test2, you don't have a session – Constantin Velea Jul 23 '20 at 20:32