Developer forum

Forum » CMS - Standard features » How to keep the user logged in across multiple websites (Use domain for cookie?)

How to keep the user logged in across multiple websites (Use domain for cookie?)

Allan Iversen
Reply

Hi,

Is it possible to keep the user logged in across multiple websites?

We have looked into the "Use domain for cookie" cookie manager settings - but it does not working in this case.

How do we solve this using standard features?

cookie-manager-settings.png

Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Be very careful with that setting!!

If you have multiple websites that uses different domains (i.e. www.domain1.com and www.domain2.com) you cannot share cookies and then login cannot be shared. This is a browser limitation.

If you share domain, but have different hosts (i.e. site1.domain.com and site2.domain.com) cookies can be shared using the domain - that is the checkbox you have found.

So if you have different domains, you need to link between the sites using a notation that can login the user again on site 2 etc. You can use ?pwtoken={secret} to link from one site to another and automatically login the user. This is to be considered a security issue though...

BR Nicolai

 
Allan Iversen
Reply

Hi Nicolai,

Sorry I will have to be more clear about this case.

In our case we do share the domain but have different hosts. If I understand you, with this settings we are supposed to get this to work?

 

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Yes.

But if you already have a cookie for the host, the domain cookie will not be picked up because of how browsers work.

So when you toggle that setting, all cookies have to get cleared. So it is a really nasty setting to deal with in production.

BR Nicolai

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

If you take a look at your cookies in dev tools, you can probably see the same cookie twice - once for host and once for domain.

 
Allan Iversen
Reply

Hi again,

I do not see any user management cookie at all after cookie clearing. Running on DW 9.8.11.

I am still not able to maintain login state on both hosts (eg. site1.espresso4.dk and site2.espresso4.dk). Login to site1.espresso4.dk does not let me in on site2.espresso4.dk.

Maybe these cookie manager settings is not supposed to work with user management cookies?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Yes, that also goes for the login cookie.

  1. When activating this setting, an iisreset is required...
  2. In recent version (cannot remember precisely) the login is stored in DW_ExtranetSessionCookie the login is stored in a session cookie (Dynamicweb.Session) which will restore the login on site 2
    1. If you do not have that DW_ExtranetSessionCookie session cookie, you have to store username and password along with autologin=true for the login to automatically happen on site 2.

In the last couple of releases there have been some changes to these cookies to enhance security and be current on cookie handling (hhtponly, samesite etc.)

This is the result for me when enabling this feature:

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

This is the logged in cookie:

(not the session cookie as I wrote - that is related to the cart)

 

You must be logged in to post in the forum