Developer forum

Be very careful with that setting!!

If you have multiple websites that uses different domains (i.e. www.domain1.com and www.domain2.com) you cannot share cookies and then login cannot be shared. This is a browser limitation.

If you share domain, but have different hosts (i.e. site1.domain.com and site2.domain.com) cookies can be shared using the domain - that is the checkbox you have found.

So if you have different domains, you need to link between the sites using a notation that can login the user again on site 2 etc. You can use ?pwtoken={secret} to link from one site to another and automatically login the user. This is to be considered a security issue though...

BR Nicolai

Hi Nicolai,

Sorry I will have to be more clear about this case.

In our case we do share the domain but have different hosts. If I understand you, with this settings we are supposed to get this to work?

Yes.

But if you already have a cookie for the host, the domain cookie will not be picked up because of how browsers work.

So when you toggle that setting, all cookies have to get cleared. So it is a really nasty setting to deal with in production.

BR Nicolai

If you take a look at your cookies in dev tools, you can probably see the same cookie twice - once for host and once for domain.

Hi again,

I do not see any user management cookie at all after cookie clearing. Running on DW 9.8.11.

I am still not able to maintain login state on both hosts (eg. site1.espresso4.dk and site2.espresso4.dk). Login to site1.espresso4.dk does not let me in on site2.espresso4.dk.

Maybe these cookie manager settings is not supposed to work with user management cookies?

Yes, that also goes for the login cookie.

1. When activating this setting, an iisreset is required...
2. In recent version (cannot remember precisely) the login is stored in DW_ExtranetSessionCookie the login is stored in a session cookie (Dynamicweb.Session) which will restore the login on site 2
   1. If you do not have that DW_ExtranetSessionCookie session cookie, you have to store username and password along with autologin=true for the login to automatically happen on site 2.

In the last couple of releases there have been some changes to these cookies to enhance security and be current on cookie handling (hhtponly, samesite etc.)

This is the result for me when enabling this feature:

This is the logged in cookie:

(not the session cookie as I wrote - that is related to the cart)

Hi Nicolai,

An update on this.

I have tested on DW 9.9.8 - cookie manager "Use domain for cookies" enabled, solution is restarted.

DW_ExtranetSessionCookie is stored - but cookie domain part still does not include ".customersolution.com". I still just get the subdomain.customersolution.com.

What do I need to do? :-)

When changing domain part from "subdomain.customersolution.com" to ".customersolution.com" manually, the login part functions on all subsites. So the actual function works, only need to get the cookie storage issue fixed.

Hi Allan

What version of Dynamicweb.Environment do you have? This one: https://www.nuget.org/packages/Dynamicweb.Environment

It has the cookie manager that handles this. You can try to update to the latest version even though I cannot see we made any changes that affects this.

Can you share some screendumps of the response and cookies your browser receives from the site when entering it the first time in an incognito window?

Thanks, Nicolai

Sure - here you go.

DwExtranetSessionCookie has the subdomain defined not the top level domain.

Dynamicweb.Environment.dll version 4.0.0.

Hi Nicolai,

Perfect - and it works, thanks!

UseDomainAndNotHostNew was missing - only UseDomainAndNotHost was present.

Great! That required some code digging and good eyes to find. Sorry about the confusion!!