0

I have multiple front-end & back-end apps running on different subdomains of the same domain. On the main front-end app I want to build a thing to switch between subdomains but also keep the session.

I've tried to:

  • use express-session
  • do some tricks with the JWT authentication
  • localStorage is not going to work as it is persistent on only 1 URL

but still can't figure out:

  1. Is it possible to have a session shared across multiple subdomains?

  2. What is the best solution to have a shared session across multiple subdomains?

The technologies I use:

  • Front-end: React JS
  • Back-end: Node & Express JS
DIIMIIM
  • 557
  • 7
  • 28
  • 1
    Why use different subdomains at all if you want a common session? Can you give more context? – Heiko Theißen Nov 14 '21 at 15:19
  • The whole front-end needs to be split in multiple subdomains, can't give more details on this. – DIIMIIM Nov 14 '21 at 15:56
  • I am not sure it's the same question but maybe this can assist: https://stackoverflow.com/questions/11850977/sessions-across-subdomains-in-express – Sefi R Nov 14 '21 at 16:23
  • Is there one common server for the multiple subdomains or are they different servers too? – jfriend00 Nov 14 '21 at 19:13
  • They are on different servers. Anyway, one server or multiple servers this is up to choose. Would be nice to have separated servers tho. – DIIMIIM Nov 14 '21 at 20:53

2 Answers2

0

To share sessions across sub-domains, you need to configure two things.

  1. You need the proper cookie settings for the session cookie so that the browser will send the same session cookie to both sub-domains. This involves setting the domain attribute on the cookie to the root domain. You can set this in the cookie options for the express-session configuration.

  2. You need to make sure that the server for each sub-domain has access to the same session store. If it's actually the same server for each sub-domain, then that's easy. But, if it's a different server, then you will need a shared session store, using some type of shared database (redis, mongodb, etc...). There are session store implementations for many different databases.

jfriend00
  • 683,504
  • 96
  • 985
  • 979
  • I see, I was thinking about using Redis. But I'm more confused on the front-end part. How should I authorize a user who comes from a domain? – DIIMIIM Nov 14 '21 at 20:55
  • @DIIMIIM - I have no idea what that comment mean. You authorize a user the same way you always authorize a user, no matter where their coming from. The client sends some sort of credential to the back-end and the back-end verifies that credential and, if approved marks them as authenticated in the server-side session. Future requests can check the session data to see if they are authenticated. The front-end part can be a form submission or an Ajax call. – jfriend00 Nov 14 '21 at 23:34
  • Yes, but the thing is a user can sign in/sign up via domain1 only(for example) and then, once logged in, he can switch between multiple subdomains without losing the auth session. So the goal is to not force him to authenticate again for each attempt to switch the subdomain. Your explanations on the back-end part make sense to me, the half of the problem I'm still struggling with is the approach on front-end. – DIIMIIM Nov 15 '21 at 12:51
  • @DIIMIIM - Did you read about the domain attribute on the cookie that I referenced in my answer? If you set that correctly in the express-session settings to the parent domain, then your session cookie from subdomainA will work for subDomainB and subDomainC and other subdomains. If the cookie works for the other subdomains, then the user will not be required to login again (assuming your server is implemented to let an already logged in user come in without reauthenticating). – jfriend00 Nov 15 '21 at 21:58
0

Luckily we're working on same project these days with with Nextjs as frontend and nodejs express as backend API.

We use cookies to manage the session on sub domains.

But to maintain the session on sub domains we use middleware in nextjs which on every page check for the session using token and user id.

On login send token, userid as parameters in url based on which user data get from api and saved that subdomain.

On logout removing cookies and sending paramter to tell the main domain to remove the saved cookies which completely clean the session.

This is how we maintain the auth session on multiple domains.

Hope this will helps. If you find other way better then this i would like to know.

Muhammad Roman
  • 31
  • 1
  • 8