Hi there,
Does Passport support the sharing of login sessions across applications running on different subdomains?
It appears that setting the cookie domain (in the express session options) is not sufficient to make this work. What I'm finding is that the login session of one application is reset when I navigate to the other, bringing me back to the login form of each.
Advice will be greatly appreciated,
-C
PS. Just commented on issue https://github.com/jaredhanson/passport-local/issues/20, but posting here because this question pertains to passport in general.
Hello again,
I got this working by changing my express configuration to use the cookieSession() middleware instead of the session() middleware.
e.g.:
app.use(express.cookieParser());
app.use(express.cookieSession({
key: 'myappname.sid',
secret: 'my secret',
cookie: { domain: '.mydomain.com', maxAge: ONE_DAY }
}));
[Note: All applications to share the login session must be configured with the same cookieSession() options]
Hope that helps anyone encountering the same difficulty!
Cheers,
-C
_Correction 14-May-2013: Remove extraneous cookieSession option 'store'_
Would be good to establish a bit more about this (I'm having a problems that may be related). Which session store were you using before?
I switched from express.session to express.cookieSession, using RedisStore in both cases.
If you are using cookieSession, then you are no longer using RedisStore. cookieSession stores all of the data directly in the cookie, not anywhere on the server. I imagine the 'store' property you are declaring is being ignored (since cookieSession is it's own store). To verify you can use something like reddis-commader (installable via NPM) to inspect any data in redis. I am having problems with RedisStore too.
Sorry, I wasn't thinking when I wrote my last comment. I am not using RedisStore with cookieSession. It would be ignored anyway, as you correctly pointed out. I will correct the closing comment. Thank you! :)
Here's how I managed to do it using AngularJS and ExpressJS:
You can use: domain: ".app.localhost" and it will work. The 'domain' parameter needs 1 or more dots in the domain name for setting cookies. Then you can have sessions working across localhost subdomains such as: api.app.localhost:3000.
@cailie is there a way to allow for more than 1 domain, instead of subdomains?
@cailie how did you check authentication with your cookie session method? Did you store anything on the req.session object? I know that passport stores login information in req.user so I am not sure how to manage the session for all subdomains. Thanks for your help!
So just confirming, by default, this doesn't allow session cookies to be accessed by subdomains? Because I have a thing where you login, and users can create sites using JS on subdomains, and I was researching if stealing the session cookie was a security concern (https://github.com/go-gitea/gitea/issues/302).
Most helpful comment
Hello again,
I got this working by changing my express configuration to use the cookieSession() middleware instead of the session() middleware.
e.g.:
[Note: All applications to share the login session must be configured with the same cookieSession() options]
Hope that helps anyone encountering the same difficulty!
Cheers,
-C
_Correction 14-May-2013: Remove extraneous cookieSession option 'store'_