Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

share authentication between domain and subdomain in symfony 2.1

In an application I implemented an javascript chat with long polling. Since there is just one Ajax Request per domain allowed I wanted to move the poll request to a subdomain.

So I have two domains:

dev.site.com
poll.dev.site.com

In my config.yml I entered the following:

framework:
    session:
        domain: .dev.site.com
        cookie_domain: .dev.site.com

But Symfony does not keep me logged in if I try to poll on the sub-domain via Ajax.

Any idea on how to keep the session on the sub-domains? I'm using the FOSUserBundle

like image 550
Johannes Klauß Avatar asked Dec 12 '12 15:12

Johannes Klauß


Video Answer


1 Answers

First, the two applications need to share the fos_user table so they can reload the user when. As you have "one app and the two domains pointing to the same app." this should already be correct.

Next is to set the session cookie to be shared between the domain and the subdomain. The config in your question is correct. However for FOSUserBundle to be able to reload the user when you change from dev.site.com to poll.dev.site.com you need to share the session storage between the two domain.

The easiest way I can suggest is to store the session in a database. This is achieved by using the PdoSessionStorage available in Symfony. The official documentation covers how to setup the session storage to do that.

If all above is done correct you should not able to login to an secure area on dev.site.com, and then change the URL to an other secure area on poll.dev.site.com without any need provide login credentials again. Notice that the user credentials are only loaded in an secure area.

When it works to open poll.dev.site.com directly in the browser with any need to enter the credentials again. You need to do some additional work to get the Ajax request to work.

According to these two questions: Setting a cookie on a subdomain from an ajax request, multi-sub-domain cookies and ajax problems the problem is likely the http://en.wikipedia.org/wiki/Same_origin_policy.

The first suggests setting the following header fields on dev.site.com:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://poll.dev.site.com

And then passing withCredentials on the ajax request.

$.ajax({
    url: 'http://poll.dev.site.com/some/ajax/endpoint.json',
    xhrFields: { 
        withCredentials: true 
    }
});

I've tested it using a dummy file that would just set the cookie and try and ajax request. I got it to worked if I had withCredentials on the ajax request, but I could not see any difference when I tried with/without the Access-Control-Allow-* headers.

The other answer suggested using document.domain but I dodn't test that.

I used using Opera's Dragonfly to inspect the network trafic if the Cookie header was sent to the server when I tested. You can use Firebug, Chrome or probably IE too.

like image 154
lz. Avatar answered Oct 03 '22 19:10

lz.