Session cookie on multi-lang setups with subdomains (not persistent)

Is it possible to manually set the domain path of the Kirby session cookie? We would like to have something like: “.example.com” instead of “example.com” to support consistent session cookies across all subdomains. I couldn’t find anything specific to that here or in the docs.

We have a multi-lang setup with subdomains for each language version. Everything works fine until a user changes the language. This creates a new (empty) session for the same user which is only accessible by the specific subdomain.

The consequence of this is that all user settings are no longer available until the user sets them again or changes the language again to the previous one (where the settings were set).

Do you use the Kirby session on the frontend?

The problem is probably not the missing dot, because a leading dot is ignored anyway, rather then the domain not being set. If the domain is set, subdomains are included.

Hi texnixe,

yes, the session cookie is used on the frontend. In my language config files I also defined the subdomains for each language. In my case there is a “https://de.example.com” and “https://example.com”.

As I figured out on the “Session” source file of Kirby, where the session cookie is stored, there is no “domain” parameter. If I understand that correctly, PHP therefore stores the current hostname in the cookie without a prefixed dot. For this reason, the session can only be called up under the domain where it was created from the browser.

That also seems to be the reason why you have to log in again in the backend panel if you open the panel via the language specific subdomain.

For now it seems that I have to modify the “Session” class and add the domain parameter manually with a prefixed dot to get equal sessions on each subdomain (I know, it’s definitely not the best solution).

It would be pretty cool if Kirby had an additional option in the config file like “subdomains” to allow that behavior. For example:

$CONFIG['session'] = [
	'gcInterval' => false,
	'subdomains' => true
];

You could use your own session on the frontend to handle that independently of the Kirby session.

As regards the Panel, it would probably make sense to enforce a single source of truth.

Custom sessions would solve the issue for some cases, that is true, but we have also the option to login as a “normal” user on the frontend managed by the kirby’s users function (and sessions). This also prevents the normal frontend user to stay logged in when switching between the languages on the site.

Maybe @lukasbestle could take a look at this in some future releases (as he seems to be the maintainer of the session class)?

Yes, that’s right.

1 Like

I have opened an idea issue to keep track of this. Feel free to upvote the issue.

I can’t promise that we will implement this very soon as an option for this would require changes in several session classes. So we’ll first wait if there’s demand by other users as well.

1 Like

Thanks! Totally understand that.

I have the same feature request so I opened an issue at nolt.io. For anyone encountering this, please go upvote :slight_smile: