Modify to include a subdomain

I have a multi-tenant application where my Users can access more than one tenant. I am authenticating the User at the top level URL ( and then adding the tenants they have access to using a plug. Initially, I am taking the first tenants subdomain and storing that in the conn conn.assigns.subdomain. This all happens in the :browser pipeline in the router.

I am looking for a way I can add the required subdomain to the host so that when I route them to the Dashboard the URL is:

I am using Phoenix 1.4 Dev and used the put_router_url ( function:

def index(conn, _params) do
  url = %URI{host: conn.assigns.subdomain <> "." <>}
  |> put_router_url(url)
  |> render(to: Routes.dashboard_path(conn, :index))

Looking at the source I thought this would then ensure that the generated path would include the subdomain.

Looking for some guidance on the best way to do this, any thoughts appreciated.


I think you are looking for the _url helpers instead of the _path helpers. _path will be a relative path whereas _url will be the full URL.

def index(conn, _params) do
  |> render(to: Routes.dashboard_url(conn, :index))

Thanks Gazler. I had actually changed that after I had posted but I am still unable to redirect to a url with a subdomain after a user is logged in.

Note that your code uses the non-put-router-url’d connection when call dashboard_url. So you need to rebind it, otherwise it is ignoring the previous plug calls:

def index(conn, _params) do
  url = %URI{host: conn.assigns.subdomain <> "." <>}
  conn = put_router_url(conn)
  redirect(conn, to: Routes.dashboard_url(conn, :index))

Thanks, Chris. Changing that has me a bit further. I am sure you knew I would run into problems once I started redirecting. I hope you might be able to help a little bit more.

As I mentioned above I am trying to add a subdomain after a user logs in (As they may be able to access multiple subdomains). By default I am directing them to the first subdomain.

I have a Plug.check_session to see if there is a user_id in the session cookie. If there is an there is no subdomain on the host I add in default subdomain and redirect to the new url.

If there is a subdomain I pass it through adding the user as the current_user.

defmodule BookingCentralWeb.Plugs.CheckSession do
import Plug.Conn

alias BookingCentral.Accounts

def init(opts), do: opts

def call(conn, _opts) do
    user_id = get_session(conn, :user_id)        
    case user_id && Accounts.get_user_by_id(user_id) do
        nil  -> 
            assign(conn, :current_user, nil)
        user ->
            orgs =, fn (x) -> x.subdomain end)
            case get_subdomain( do
                "" -> 
                    subdomain = get_first_subdomain(orgs)
                    url = %URI{host: subdomain <> "." <>, port: 4000}
                    conn = Phoenix.Controller.put_router_url(conn, url)
                    conn = assign(conn, :current_user, user) 
                    Phoenix.Controller.redirect(conn, external: BookingCentralWeb.Router.Helpers.dashboard_url(conn, :index))
                _  -> 
                    assign(conn, :current_user, user)


defp get_subdomain(host) do
    root_host = BookingCentralWeb.Endpoint.config(:url)[:host]
    String.replace(host, ~r/.?#{root_host}/, "")

defp get_first_subdomain([head | _tail]) do

I changed my index action on the Dashboard Controller on the basis that the host will include the subdomain by this stage:

def index(conn, _params) do
           render(conn, "index.html")

Running this when I authenticate it adds the subdomain and redirects but then I end up at the login page, presumably because I get a new session for eth subdomain. I modified the config in my endpoint.ex:

plug Plug.Session,
    store: :cookie,
    key: "_booking_central_key",
    signing_salt: "H4nzWhe9",
    allow_hosts: [".localhost"],
    domain: ".localhost" 

But now I get a CSRF error:

invalid CSRF (Cross Site Request Forgery) token, make sure all requests include a valid '_csrf_token' param or 'x-csrf-token' header

Any direction or examples will be greatly appreciated.


As a sanity check, make sure you clear your cookies or use a new key. It’s possible the old session is now invalid and throwing the csrf error when it tries to lift it out of the existing cookie, but it’s just a hunch at the moment.

1 Like

I have tried both those options but same result. I found this in the docs (

If you are sending data to a full URI, such as // or // , instead of a simple path such as /path , you may want to consider using get_csrf_token_for/1 , as that will encode the host in the CSRF token. Once received, Plug will only consider the CSRF token to be valid if the host encoded in the token is the same as the one in .

But I am not sure how or where to use get_csrf_token_for/1

Any ideas?

In your form_for's, you need to pass a non-host specific token if you intend for forms on subdomains to post to a root domain or vice versa. By default, Phoenix HTML’s form_for will generate a token specific to the host of the form action, if it exists, which sounds like the cause of your issues, but it’s not clear how you are handling subdomains and form action urls. Try doing:

<%= form_for ..., ..., csrf_token: Plug.CSRFProtection.get_csrf_token(), fn f -> ...
1 Like


Thank you very much for your time but it was a user error!

I figured it must be to do with the session cookie and sharing it across the main domain and subdomain and after a lot of reading, I ran across an article that mentioned that browsers do not allow cross-domain session sharing for .com and localhost!

One of the many things I have forgotten over the years. Anyway … changed my host file and the config to use and it all worked as planned. The plus side is I have a much better understanding of the conn lifecycle and how Phoenix handles routing.

Again thanks for your time. I love Phoenix and can’t wait to see what happens with LiveView.

All the best.