I am looking at swapping out the session_domain in laravel to be part of the base domain like so: '.example.com'.
This is so we can persist sessions across all subdomains of the base domain as by default cookies are only persisted on the current domain
I have tested this locally which works fine, but it seems to cause issues with active sessions as the old cookie is still preserved in the users browser with the old domain. This seems to cause issues when trying to authenticate as there are now multiple session cookies (One with the old, and one with the new cookie domain path). I have to manually clear the cookies for this to work which i obviously don't expect my users to do.
I'm not keen on the idea of middleware to expire/unset these browser cookies as it just seems inefficient to run this on every request.
What would be the best way for me to clear existing browser sessions in Laravel so that when i swap the session_domain, it does not cause issues with existing user sessions?
You need to change the APP_NAME for each subdomain
Because it replaces the session,cookie with the same name on same browser with different tabs. In short if you login to one domain, it will replace the previous domain cookie. So you need to make it different for each subdomain.
If you are having multiple .env on each domain then change it explicitly if you are using one env file for different domains you need to dynamically change it. That way your cookie won't be replaced.
If you look at inside config/session.php
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
This is where your cookie name is generated if you see that in browser Application tab inside Cookies section.
In your case, it will be laravel_session cookie name