I wrote a SPA using a javascript framework (vuejs) at app.example.com, it's an additional tool for the main site that uses PHP, example.com.
Both app.example.com, and example.com share the same server and database (It uses SSL too), so user who register once will be able to be authenticated across all subdomains and main domain.
First problem, which is inter-connected to the second: the app.example.com sends the user email/password to our server for request authentication, if authenticated the server sets a session $_SESSION['appUserId] = 10
, and the request returns the user information where I set a localStorage key with it's token. localStorage.setItem("appUserId", 10);
The problem is that, I'm not sure how to keep the user authenticated via app.example.com and example.com since right now, I'd have to check if the user is authenticated with every page request and app.example.com uses localStorage.
I know I can share the cookie between subdomain and domain but I'm not sure if that's the best way possible. For example, I could replace the localStorage for a cookie, but cookies can be modified via the browser.
I'm still learning about general security.