I have multiple front-end & back-end apps running on different subdomains of the same domain. On the main front-end app I want to build a thing to switch between subdomains but also keep the session.
I've tried to:
use express-session
do some tricks with the JWT authentication
localStorage is not going to work as it is persistent on only 1 URL
but still can't figure out:
Is it possible to have a session shared across multiple subdomains?
What is the best solution to have a shared session across multiple subdomains?
The technologies I use:
Front-end: React JS
Back-end: Node & Express JS
To share sessions across sub-domains, you need to configure two things.
You need the proper cookie settings for the session cookie so that the browser will send the same session cookie to both sub-domains. This involves setting the domain attribute on the cookie to the root domain. You can set this in the cookie options for the express-session configuration.
You need to make sure that the server for each sub-domain has access to the same session store. If it's actually the same server for each sub-domain, then that's easy. But, if it's a different server, then you will need a shared session store, using some type of shared database (redis, mongodb, etc...). There are session store implementations for many different databases.
Luckily we're working on same project these days with with Nextjs as frontend and nodejs express as backend API.
We use cookies to manage the session on sub domains.
But to maintain the session on sub domains we use middleware in nextjs which on every page check for the session using token and user id.
On login send token, userid as parameters in url based on which user data get from api and saved that subdomain.
On logout removing cookies and sending paramter to tell the main domain to remove the saved cookies which completely clean the session.
This is how we maintain the auth session on multiple domains.
Hope this will helps.
If you find other way better then this i would like to know.
Related
I have created a MERN application using Create-React-App.
When run on localhost, and deployed using Heroku, it says the site (or localhost) uses 2 cookies.
It looks like this:
Because of this, I have to add a accept cookie pop up in my website and create a cookie policy..
I did not write a single code about cookies in my app, but there are two.
From my search CRA does not automatically include code for setting cookies.
How can I remove these two cookies?
Based on your screenshot you've included in your question, you've mistaken local/session storage for cookies.
Both storage types have nothing to do with cookies. Values stored in these storages are not transmitted back to the server and can therefore not be used to identify your users in any way.
You do not need a cookie policy for these two storages.
Just to make sure that you didn't accidentally have any cookies set, you could also have a look into your dev-tools. The kinds of storage should be listed separately there.
In the company I'm currently working at there are multiple WebApps, e.g: App1, App2, App3 ... The current issue is that we want to allow an user to log into App1, and if he goes to App2 we do not require this user to login again, because he already logged in App1.
How can I achieve this? I'm using Firebase but the onAuthChange() doesn't track changes on different domains, and I'm aware I cannot share cookies from App1.com to App2.com.
My plan was to once a user signs in in App1, I create a cookie on the browser that I could check on App2 and if there is a current user, get the ID and fetch the data needed to render the user information.
I'm working with: ReactJs, NodeJs, Graphql, Prisma, Nexus, Firebase (Auth). In case it matters
Cookies are not shared across different domains. But if the sites app1, app2, app3 have a common sub domain, then they can share the cookies. For example app1.example.com, app2.example.com, app3.example.com. All these sites have *.example.com as their sub-domain. So a cookie set for *.example.com can be accessed by all these web-apps.
These web-apps need to have a common authentication mechanism shared among them.
Another option is when you authenticate with app1, then response can include cookies for all three domains.
i am using express framework, in my requirement have to maintain a login server and content server, a user can login from one server and then searching the content's from other server.
any best idea to implement this concept? and please share, how to share the user's data while connecting or redirecting to another server?
If you are creation sessions on logging, then you can session across multiple node process/servers using extenal session store service.
Search on Express session stores.
You can store session on mongodb/redis or any other.
Redis Session Store example : http://blog.arisetyo.com/?p=492
My web application production deployment is on 2 servers behind a load-balancer.
I'm using passport (local strategy) with session for authentication.
When the application runs on one server everything works fine, but in production one server doesn't recognize the cookie/session established by the other server (Each request gets randomally sent to a different server, I can't control it).
As a result - i'm redirected to the login page when attempting to access pages that require authentication (even after i login).
How can i get the two servers to create a session cookie that they both recognize (obviously i used the same secret for the express session middleware).
Thanks,
Alon
Option 1
Configure the load-balancer to always route the same ip to the same machine. Might be problematic for users who change network.
Option two
Use a third machine running the database and set up express.session (and any other database connections for that matter) to use that machine as store. This question/answer mentions how to do it with mongoose/mongodb.
I think this is the more common solution but is of course more expensive if you don't need a third machine.
I have a website that came with a SSL site for HTTPS but its on a different server. Example being
my website:
http://example.com
my SSL site:
https://myhostingcompany.com/~myuseraccount/
So I can do transactions over HTTPS and we have user accounts and everything but it is located on a different domain. The cookie domain is set for that one.
Is there a way I can check on my actual site to see if a cookie is set for the other one? And possibly grab its data and auth a user?
I think this violates a major principle of security and can't be done for good reasons, but am i wrong? is this possible?
You can setup a service on either site to handle RPC via HTTP POST requests. You can make it require some sort of session that can only be created by your sites. However, whatever can be accessed over that shared session on the HTTPS site will have no guarantee of confidentiality or integrity.