Sessions are scoped by browser rules, not by Nginx. Put your central and tenant sites under the same second-level domain (easiest), or implement an explicit cross-domain SSO flow. Trying to share the default Laravel session cookie between maindomain.test and user.app.test can’t work because the browser won’t allow it.