symfony set the cookie_domain dynamically

Question

I have a single app that ca serve multiple domains. I'm having a problem with the framework.session.cookie_domain

• I'd like the session to be kept between subdomain, so far so good with cookie_domain set right

• Where i have a problem is that i'd like the cookie_domain parameter set dynamically as i don't know in advance which domain the request is coming from.

  • I tried in the AppKernel.php to do something like :

  $domain = substr($_SERVER['HTTP_HOST'], strpos($_SERVER['HTTP_HOST'], '.')); ini_set('session.cookie_domain', $domain);

  • But it seems to break my sessions

• I could have multiple config.yml one for each domain but i'd like to avoid that.

Do you know a way?

Thanks

Answer 1

I have a similar situation. It's a multi-tenant site with school districts and schools. Each district and school has its own URL as follows:

• school-1.district-1.example.com
• school-2.district-1.example.com
• school-1.district-2.example.com

I want users to be able to access all schools in one district with a single login. I therefore need the cookie to be at the district level.

This is my session storage service.

namespace AppBundle\Services;

use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Session\Storage\MetadataBag;
use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;

class MySessionStorage extends NativeSessionStorage
{
    public function __construct(array $options = array(), $handler = null, MetadataBag $metaBag = null, RequestStack $requestStack)
    {
        $host = $requestStack->getMasterRequest()->getHost();
        $options['cookie_domain'] = substr($host, strpos($host, '.') + 1);

        parent::__construct($options, $handler, $metaBag);
    }
}

In services.yml

mySessionStorage:
    class: AppBundle\Services\MySessionStorage
    arguments: [%session.storage.options%, @session.handler, @session.storage.metadata_bag, @request_stack]

In config.yml under framework:

session:
    handler_id: session.handler.native_file
    storage_id: mySessionStorage

Note that handler_id is null (~) by default in a standard Symfony installation. It needs to be set to something for the service to receive a non-null @session.handler.

That does it for the session cookie but the other one I needed to change is the remember_me cookie. You can set the domain to a constant in config.yml but I need it to depend on host. Maybe I'm missing something but I couldn't see a way to do it dynamically within the security system. RememberMeFactory is directly instantiated, not via configuration. My solution is to listen for kernel.response and replace the cookie before it is sent.

namespace AppBundle\Listeners;

use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;

class CookieFix
{
    private $requestStack;

    public function __construct(RequestStack $requestStack)
    {
        $this->requestStack = $requestStack;
    }

    public function onKernelResponse(FilterResponseEvent $event)
    {
        $response = $event->getResponse();
        $cookies = $response->headers->getCookies();
        $rMe = null;

        foreach($cookies as $cookie) {
            /** @var \Symfony\Component\HttpFoundation\Cookie $cookie */
            if ($cookie->getName() == 'REMEMBERME') {
                $rMe = $cookie;
                break;
            }
        }

        if ($rMe !== null) {
            $host = $this->requestStack->getMasterRequest()->getHost();
            $newDomain = substr($host, strpos($host, '.') + 1);

            $response->headers->removeCookie($rMe->getName());
            $response->headers->setCookie(new Cookie($rMe->getName(), $rMe->getValue(), $rMe->getExpiresTime(), $rMe->getPath(), $newDomain));
        }
    }
}

I should probably try to get the cookie name from the config.

In services.yml

cookieFix:
    class: AppBundle\Listeners\CookieFix
    arguments: [@request_stack]
    tags:
        - { name: kernel.event_listener, event: kernel.response, method: onKernelResponse, priority: -100 }

The -100 priority ensures that it runs after the listener that creates the cookie.

Answer 2

Ok, i've figured this out.

It was not that difficult.

I created a custom sessionStorage, extending the default one and i did a simple override where the options were being dealt with: there i calculated my cookie_domain and passed it to the parent::function :

use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;

/**
 * DynamicDomainSessionStorage.
 *
 * @author Julien Devouassoud
 */
class DynamicDomainSessionStorage extends NativeSessionStorage
{
     /**
     * setOptions.
     *
     * {@inheritDoc}
     */
    public function setOptions(array $options)
    {   
        if(isset($_SERVER['HTTP_HOST'])){
            $domain = substr($_SERVER['HTTP_HOST'], strpos($_SERVER['HTTP_HOST'], '.'));

            $options["cookie_domain"] = $domain;
        } 



        return parent::setOptions($options);
    }
}

Don't forget:

• to declare your class as a service

• set this service as storage

• set the save_path otherwise cookie_domain seems not to work (breaks the session)

• i set a 'name' as well but i don't think it's essential

• code config.yml :

#...
framework:
    #...
    session:
         storage_id: v3d.session.storage.dynamic_domain
         save_path: %kernel.root_dir%/cache/var/sessions
         name: SFSESSID

services
    v3d.session.storage.dynamic_domain:
        class: V3d\Bundle\ApplicationBundle\Services\DynamicDomainSessionStorage