2

My app has multiple domains and has a feature that let the user switch to other local site.

When a user switch locale he is being redirected between the domains (for each domain the app will set cookie with the same locale settings).

At the end of the redirect loop he will be redirected back to the "source" domain (and in case he set his locale to specific country which has a dedicated domain - he'll be redirected to the dedicated domain).

The locale cookies sets successfully during the redirection process (a simple cookie - not secure/http-only/strict).

The redirection process is based on an html meta tag (not a PHP header, because in that case the redirection will happen before the browser saves the cookies).

The problem is:

The authentication cookie gets deleted from the source domain. The authentication cookie is http-only, secure and strict (and is valid for a long time, so it should not expire).

I guess the issue is connected to the cookie security settings but I can't figure out why. Any help?

Bitmap
  • 106
  • 2
  • 9
  • as you are talking about cross domain authentication, do you have a SSO site setup to handle all authentication requests? – Juakali92 Jul 22 '18 at 11:26
  • Currently it's not SSO application, only the locale settings are shared. Is that a problem? – Bitmap Jul 22 '18 at 14:02
  • instead of a single cookie for each domain, much easier to log current state via a single interface. Redirect all logins to a SSO portal and across all your domains, check using CURL the current state of the user session upon page load. – Juakali92 Jul 22 '18 at 18:29
  • 1
    I totally agree with you, and it's my intentions for future. but for now, why is my cookies get deleted on multiple redirects (other redirects won't cause this issue)? – Bitmap Jul 24 '18 at 15:48

0 Answers0