When developing a Laravel application that spans both a root domain (e.g., example.com) and subdomains (e.g., admin.example.com, user.example.com), it’s often necessary to share session data—like authentication tokens—across these domains.
This guide walks you through how to configure Laravel to share sessions between your main domain and its subdomains.
🧠 Why Session Sharing Matters
Imagine your app uses example.com for marketing and user login, and dashboard.example.com for authenticated user dashboards. You don’t want users to log in again when navigating between these. By sharing sessions, you ensure a seamless experience.
✅ Prerequisites
- Laravel 8 or higher
- A proper subdomain setup (either via local dev tools like Valet, Laravel Homestead, or a production server)
- Same top-level domain (e.g.,
example.comandadmin.example.com) - HTTPS (recommended for security)
🛠 Step-by-Step Configuration
1. Update SESSION_DOMAIN in .env
Open your .env file and configure the SESSION_DOMAIN:
SESSION_DOMAIN=.example.com
Notice the dot (
.) prefix. This is required to allow cookies to be shared between subdomains.
2. Check config/session.php
In config/session.php, ensure the domain setting reads from the .env file:
'domain' => env('SESSION_DOMAIN', null),
This makes your app flexible across environments.
3. Use the Same APP_KEY and .env Settings
To share sessions, all your subdomain-based Laravel apps must:
- Use the same
APP_KEY - Use the same
SESSION_DRIVER(e.g.,file,database,redis) - Use the same
SESSION_DOMAIN
If you’re running multiple Laravel apps (e.g., frontend and backend), copy the APP_KEY from the main app to others.
4. Use a Shared Session Store (Recommended: Redis or Database)
If multiple Laravel apps are involved:
Use Redis:
SESSION_DRIVER=redis
CACHE_DRIVER=redis
QUEUE_CONNECTION=redis
Make sure both root and subdomain apps are using the same Redis instance.
Or Use Database:
SESSION_DRIVER=database
Run:
php artisan session:table
php artisan migrate
Again, all apps must point to the same database table for sessions.
5. Ensure CSRF Tokens Work Across Domains
Laravel uses CSRF tokens in forms, so if your frontend and backend are on subdomains, enable the following in VerifyCsrfToken.php:
protected $except = [
'https://sub.example.com/*', // or use wildcards
];
Or you can configure SANCTUM_STATEFUL_DOMAINS if using Laravel Sanctum for SPA authentication.
👩💻 Testing Session Sharing Locally
If you’re developing locally, make sure your hosts file (/etc/hosts on macOS/Linux or C:\Windows\System32\drivers\etc\hosts on Windows) includes:
127.0.0.1 example.test
127.0.0.1 admin.example.test
Then use Valet or another local server to serve both.
🔒 Bonus: Secure Session Cookies
If you’re using HTTPS (you should), make sure your session cookies are marked secure:
In .env:
SESSION_SECURE_COOKIE=true
In config/session.php:
'secure' => env('SESSION_SECURE_COOKIE', true),
⚠ Common Pitfalls
- ❌ Missing the leading
.inSESSION_DOMAIN - ❌ Different
APP_KEYs between apps - ❌ Not using a shared session driver/store
- ❌ Cookies blocked due to browser settings (especially on Safari or in incognito mode)
✅ Summary
| Step | Description |
|---|---|
| 1 | Set .example.com in SESSION_DOMAIN |
| 2 | Share the same APP_KEY |
| 3 | Use a shared session driver (Redis, Database) |
| 4 | Update CSRF/headers if needed |
| 5 | Ensure cookie settings support cross-subdomain |
🚀 Conclusion
Sharing sessions between a Laravel root domain and subdomains is essential for consistent user experiences. With the right configuration, Laravel makes this straightforward. Stick to secure session practices, test thoroughly, and you’ll be all set!
