Sharing a session between 2 laravel applications

Question

I am using a database session driver in an attempt to share a session between two laravel applications. Should the session cookie name and encryption key be the same for bot

Answer 1

Everything related to sessions should be identical. Basically the session.php file should be the same between both, they should have a common database, and the key and cipher type should be identical.

If they have the same domain name (ex: server1.mydomain.com, server2.mydomain.com) but different hostnames/subdomain names, then the cookies should still work fine as long as you set the domain correctly (ex .mydomain.com). If they are on the same server, you can still use a common key-value system. If they are on separate servers, you either need a common storage location (like S3) or a replication enabled key-value system like Redis or Memcached. You could also use MySQL if you need to replicate other data types, but it's very heavy for just key-value pairs.

If they have completely different domains, then cookies will not work. In that instance, you would need to reference cross-site session ids through GET query strings, and perform session migrations in the back-end using either common or replicated systems, or via some secure API. This is a very difficult system to setup and only works if you are moving between the domains using links embedded in the sites. Bookmarks or manual address input will loose session data.

---

UPDATE: 2/4/2016

There is a better way to handle this now using JSON Web Tokens (JWT). The basic idea is that rather than share a database of session IDs that has to be kept in sync, you instead share a database of users. The database of users will require significantly fewer writes, since most of the data will be static, which in turn makes it easier to replicate or split between multiple applications. The JWT holds all the pertinent session data in an encrypted format which prevents tampering. This allows the front-end client to hold on to the JWT and pass it to the back-end client on requests. The back-end client is then only responsible for checking that the data within the JWT matches it's database of user data. If it matches, then it can be assumed that the user was authenticated. There is a little more to it than I've explained here, but I would recommend checking out the website for a full explanation (https://jwt.io/).

The best part is, it's super easy to get started using in Laravel. Add in the JWT-Auth dependency and you are up and running with JWT.

The one caveat I would add is that you will likely run into Cross-Origin Resource Sharing (CORS) issues with newer browsers if you do cross domain requests. There are easy fixes if you run into that (Laravel-CORS).