I have a Laravel 5.2 app laying on a domain like this: https://www.example.com.
The laravel_session cookie is configured to use the dot notation (to include subdomains):
config/session.php:
'cookie' => 'laravel_session',
'path' => '/',
'domain' => env('SESSION_COOKIE_DOMAIN', null)
.env file on the server:
SESSION_COOKIE_DOMAIN=.example.com
I'm using the database as the session driver.
Now, there are cases when the session cookie gets duplicated, and in the cookie list I can see entries like these:
laravel_session, domain:.example.comlaravel_session, domain:.www.example.com
The same thing happens with the Facebook session cookies, when a user used Facebook to authenticate:
fbm_123456, domain:.example.comfbm_123456, domain:.www.example.com
In both cases, the expiry dates on the duplicated cookies are different
This cookie duplication causes problems with authentication - some users try to log in, but get redirected back to the homepage, with the auth state unchanged.
I can't seem to reproduce the issue, or rather what's causing it. I think, though, it may be linked to Laravel session expiring, or to logging the user in via the remember-me token.
Does anyone have an idea why would the cookies be duplicated?
UPDATE:
Actually, I realize now that the only difference between our other Laravel project and this one is that here we explicitly set the laravel_session domain (to .example.com). May be a lead.
