Login to sitecore across multiple subdomains


I have a sitecore installation with multi site configuration. There a 3 sites which map on different subdomains, f.ex. products.mydomain.com, content.mydomain.com and news.mydomain.com

Each subdomain points to a specific subtree in the sitecore tree.

There are multiple editors with different access rights for managing this 3 areas.

I have the requirement that an editor who has access to all subtrees should login only one time and not into every single area.

So if he logs in to f.ex. products.mydomain.com he already should be logged in on content.mydomain.com and news.mydomain.com.

I tried setting cookie domain for "ASPXAUTH" and "ASP.NET_SessionId" to "mydomain.com" but this doesn't seem to be sufficient.

Is there a setting in sitecore which enables one login accross multiple subdomains to the same sitecore instance?

Thanks for your answers!

  • In reply to JONATHAN ROBBINS:


    thanks for your reply.

    > The CookieDomain of the Auth cookie needs to be ".mydomain.com" not just "mydomain.com"

    In RFC 2109, a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.mydomain.com) would allow it to be used across subdomains.

    However, modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.

    > The machine key and decruption key of all servers need to be identifical

    Ok. I have only a single server and a single application, so this is not necessary.

    > But I think your scenario is possibly relating to the domains the sites config; do all three subdomains use the same domain e.g. extranet?

    Yes, all three domains use the same domain. So this is no problem.

    Meanwhile I got the solution:

    Sitecore uses forms authentication, so the relevant cookies where domain has to be set are ".ASPXAUTH" and "sitecore_userticket".

    ".ASPXAUTH" cookie domain can be set in web.config:

      <authentication mode="None">
        <forms name=".ASPXAUTH" cookieless="UseCookies" domain="mydomain.com" timeout="30"/>

    "sitecore_userticket" can be set when overriding Sitecore.Security.Authentication.FormsAuthenticationProvider, but I found it easier to create an EndRequest handler:

    protected void Application_EndRequest(object sender, EventArgs e)
      // set cookie domain for authentication ticket
      var authCookie = HttpContext.Current.Response.Cookies["sitecore_userticket"];
      if (authCookie == null || string.IsNullOrEmpty(authCookie.Value))
        // when checking response cookies, cookie is created if not exists, so delete now
      // read domain from .ASPXAUTH cookie setting in system.web/authentication/forms 
      var authSection = ConfigurationManager.GetSection("system.web/authentication") as AuthenticationSection;
      authCookie.Domain = authSection != null && authSection.Forms != null ? authSection.Forms.Domain : "";

    Now everything is working fine. Thanks for your help!