8

In an application I implemented an javascript chat with long polling. Since there is just one Ajax Request per domain allowed I wanted to move the poll request to a subdomain.

So I have two domains:

dev.site.com
poll.dev.site.com

In my config.yml I entered the following:

framework:
    session:
        domain: .dev.site.com
        cookie_domain: .dev.site.com

But Symfony does not keep me logged in if I try to poll on the sub-domain via Ajax.

Any idea on how to keep the session on the sub-domains? I'm using the FOSUserBundle

Cœur
  • 32,421
  • 21
  • 173
  • 232
Johannes Klauß
  • 9,087
  • 13
  • 59
  • 110

1 Answers1

2

First, the two applications need to share the fos_user table so they can reload the user when. As you have "one app and the two domains pointing to the same app." this should already be correct.

Next is to set the session cookie to be shared between the domain and the subdomain. The config in your question is correct. However for FOSUserBundle to be able to reload the user when you change from dev.site.com to poll.dev.site.com you need to share the session storage between the two domain.

The easiest way I can suggest is to store the session in a database. This is achieved by using the PdoSessionStorage available in Symfony. The official documentation covers how to setup the session storage to do that.

If all above is done correct you should not able to login to an secure area on dev.site.com, and then change the URL to an other secure area on poll.dev.site.com without any need provide login credentials again. Notice that the user credentials are only loaded in an secure area.

When it works to open poll.dev.site.com directly in the browser with any need to enter the credentials again. You need to do some additional work to get the Ajax request to work.

According to these two questions: Setting a cookie on a subdomain from an ajax request, multi-sub-domain cookies and ajax problems the problem is likely the http://en.wikipedia.org/wiki/Same_origin_policy.

The first suggests setting the following header fields on dev.site.com:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://poll.dev.site.com

And then passing withCredentials on the ajax request.

$.ajax({
    url: 'http://poll.dev.site.com/some/ajax/endpoint.json',
    xhrFields: { 
        withCredentials: true 
    }
});

I've tested it using a dummy file that would just set the cookie and try and ajax request. I got it to worked if I had withCredentials on the ajax request, but I could not see any difference when I tried with/without the Access-Control-Allow-* headers.

The other answer suggested using document.domain but I dodn't test that.

I used using Opera's Dragonfly to inspect the network trafic if the Cookie header was sent to the server when I tested. You can use Firebug, Chrome or probably IE too.

Community
  • 1
  • 1
lz.
  • 321
  • 2
  • 10
  • No, even when I open it directly in the browser, I'm not logged in. That's the basic problem. – Johannes Klauß Mar 25 '13 at 16:53
  • Do you share the session storage and user database between the two applications. See http://stackoverflow.com/a/13258965/2094837 – lz. Mar 25 '13 at 18:24
  • I don't have two applications. I have on app and the two domains pointing to the same app. – Johannes Klauß Mar 26 '13 at 09:54
  • As it's the same application the FOSUserBundle should be able to reload the user on poll.dev.site.com if it can load the session. Per default Symfony stores the session in app/cache/{env}/sessions. So if the two domains are hosted on the same server with the same DocumentRoot, then poll.dev.site.com should be able to load the session file created by dev.site.com as they share the folder. – lz. Mar 26 '13 at 12:56
  • Yes I know. But this isn't the case and there's the problem. – Johannes Klauß Mar 26 '13 at 14:26