Different kirby localhost development instances conflicting and destroying sessions

In my development environment on localhost i’ve running multiple kirby instances in docker containers on different port numbers, like


and so on.

These panels conflict each other. I assume thats because the cookie kirby_session is used by each instance.

It’s even enough if I just leave a browser tab open somewhere from another instance and I’m thrown out of the panel again in my current browser tab.

When I log back in, it only takes a minute or so and I’m logged out again.

I don’t even have to be logged into another project, it’s enough that just one tab is open somewhere. Since I work with many browser windows and tabs, it is very annoying that I have to close all Kirby tabs so that I can only stay logged in to a single tab.

Wouldn’t it be possible to find a solution here? I’d like to stay logged in into different kirby projects at the same time.

It is a limitation of cookies, not Kirby, that they can not distinguish between different ports on the same host. Citation from RFC 6265 about HTTP state management:

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security-sensitive information.

Solution: Use different hostnames for each instance.

You could rename the session cookie in the config.php for each project:

'session' => [
  'cookieName' => 'anythingyoulike',
1 Like

Thank you both for the suggestions.

Of course, it is clear that cookies are not port-specific. I’ve been thinking about whether Kirby could create a more or less unique ID from the hostname and port, and use this to automatically suffix the CookieName.

Both proposed solutions are good and correct. From a technical point of view, the better way is probably to use different hostnames.

Anyway, renaming the cookie via config.php is the right suggestion for me and doesn’t require any additional hosts entries or dnsmasq or similar services.

Thank you for your inspiration.