In my new Project, I need to create an authentication system, the requirements are:
- authentication should be done for different domains and sub-domains
- for now, the only client type is front-end applications(SPA)
- site A can have two domains,
company.my-domain.comand a custom domain for itself like:company.com
the first thing that came to my mind was to use stateless authentication by JWT tokens, but I couldn't think of a way to securely store JWT in the front-end, storage is vulnerable to XSS, and CSRF for cookies should be considered.
laravel sanctum stateless authentication is not using the cookies and sessions, that's why I don't think for this app stateless authentication is a good choice.
the second way and stateful way was to use the cookies, which is supported by sanctum by default, but the problem is I cannot use cookies for different domains, so I have to point different domains to my server and create virtual hosts, so that :
company.my-domain.comsends its requests to theapi.my-domain.com(cause cookies can be shared between subdomains)company.comsends its requests to theapi.company.com(causeapi.my-domain.comcannot set cookies for another domain)
the problem is, laravel is using an environment variable called SESSION_DOMAIN, and you can only set it once, I can't and don't want to launch a new instance with different env variables for each custom domain, so my question is:
how to set the session domain environment variables dynamically? and does the fact that I'm using octane will affect other requests in this case? because I used Config::set(),
it does affect the X-CSRF-TOKEN but not any of the sanctum cookie domains
any help and recommendation would be appreciated!
