Why can SSO1 obtain user information normally, but SSO2 still needs to log in?

[IceCry]

Version: v0.4.2

I have created three websites:
Server: sso.xxx.com
Broker1: sso1. xxx.com
Broker2: sso2.xxx.com

The configuration is as follows:

'brokers' => [
    'sso1' => [
        'secret' => 'secrethelloworld',
        'domains' => ['sso1.xxx.com'],
    ],
    'sso2' => [
        'secret' => '7pypoox2pc',
        'domains' => ['sso2.xxx.com'],
    ]
],

When accessing SSO2, userInfo can be obtained normally. When accessing SSO1 again, I think that $userInfo=$broker ->request ('GET ','/api/info. php ') can directly obtain userInfo information, but in reality, it was not obtained, What is the reason for this?

Please share your information for me. Thank you. @jasny

访问sso2时可正常获取userInfo，再对sso1进行访问时，我认为通过$userInfo = $broker->request('GET', '/api/info.php');可以直接获取userInfo信息，但实际上却没有获取到，请问这是什么原因导致的呢？

why they get the diffrent session

loggy.log


{"timestamp":"1697514312","channel":"SSO","level":"INFO","level_value":200,"message":"Attached broker token to session","context":{"broker":"sso2","token":"2g8itoxc43vos0w8og4o04g4og8o4okwg4woog4008g4woc40g","session":"t74m96cpdut2fp0fvbgl22sv7m"},"backtrace":{"file":"/www/wwwroot/sso.r1989.com/vendor/jasny/sso/src/Server/Server.php","line":263,"class":"Jasny\\SSO\\Server\\Server","function":"attach"},"pid":5714}
{"timestamp":"1697514313","channel":"SSO","level":"DEBUG","level_value":100,"message":"Broker request with session","context":{"broker":"sso2","token":"2g8itoxc43vos0w8og4o04g4og8o4okwg4woog4008g4woc40g","session":"t74m96cpdut2fp0fvbgl22sv7m"},"backtrace":{"file":"/www/wwwroot/sso.r1989.com/vendor/jasny/sso/src/Server/Server.php","line":113,"class":"Jasny\\SSO\\Server\\Server","function":"startBrokerSession"},"pid":5718}
{"timestamp":"1697514314","channel":"SSO","level":"DEBUG","level_value":100,"message":"Broker request with session","context":{"broker":"sso2","token":"2g8itoxc43vos0w8og4o04g4og8o4okwg4woog4008g4woc40g","session":"t74m96cpdut2fp0fvbgl22sv7m"},"backtrace":{"file":"/www/wwwroot/sso.r1989.com/vendor/jasny/sso/src/Server/Server.php","line":113,"class":"Jasny\\SSO\\Server\\Server","function":"startBrokerSession"},"pid":5709}
{"timestamp":"1697514316","channel":"SSO","level":"DEBUG","level_value":100,"message":"Broker request with session","context":{"broker":"sso2","token":"2g8itoxc43vos0w8og4o04g4og8o4okwg4woog4008g4woc40g","session":"t74m96cpdut2fp0fvbgl22sv7m"},"backtrace":{"file":"/www/wwwroot/sso.r1989.com/vendor/jasny/sso/src/Server/Server.php","line":113,"class":"Jasny\\SSO\\Server\\Server","function":"startBrokerSession"},"pid":12701}


{"timestamp":"1697514320","channel":"SSO","level":"INFO","level_value":200,"message":"Attached broker token to session","context":{"broker":"sso1","token":"2z0l4mqvh0owoog80g0844wcggkcg44o4wggc80osw80kwgc88","session":"94vd2pcvcn4lmscqtc83ce5adm"},"backtrace":{"file":"/www/wwwroot/sso.r1989.com/vendor/jasny/sso/src/Server/Server.php","line":263,"class":"Jasny\\SSO\\Server\\Server","function":"attach"},"pid":16889}
{"timestamp":"1697514321","channel":"SSO","level":"DEBUG","level_value":100,"message":"Broker request with session","context":{"broker":"sso1","token":"2z0l4mqvh0owoog80g0844wcggkcg44o4wggc80osw80kwgc88","session":"94vd2pcvcn4lmscqtc83ce5adm"},"backtrace":{"file":"/www/wwwroot/sso.r1989.com/vendor/jasny/sso/src/Server/Server.php","line":113,"class":"Jasny\\SSO\\Server\\Server","function":"startBrokerSession"},"pid":12705}

[jasny]

Look at the 'attach' calls made to sso.xxx.com, are the session cookies sent and are they the same?

If not, make sure the samesite cookie option is set to 'None'. In PHP, you may need to use session_set_cookie_param(["samesite" => "None"]) before session_start()

[IceCry]

Thank you very much for your reply, but the issue is not related to samesite.
It's necessary to ensure that the Server with https.
If not, the server-side 'attach' can only obtain "security_session_verify" data, "PHPSESSID" can only be obtained in https mode.

[gaeld]

This should be present in the documentation of the repository. Spent a day trying to understand why SSO wasn't working on my side. Finally founed this issue. This was the reason (not using HTTPS).

Please, put that in the documentation, it's essentiel.

Thanks IceCry !