Correct Cookie Config for Magento Site with Subdomains

cookiemultistoresession

The problem

A large site uses separate instances of Magento for different geographic regions so the businesses are isolated. Example:

site.com
north.site.com
south.site.com
east.site.com
west.site.com

Users may visit the root + regional sites, log in directly on a regional site, or log into (site.com) with their regional credentials (we have an authenticator + redirect in place).

Some are unable to login after previously being able to, and get no error feedback. We can replicate the fault which is having two cookies with the same name but different domains. Example:

Name: frontend, Domain: .site.com
Name: frontend, Domain: .north.site.com

Deleting the cookies resolves the issue in most browsers. The cookies seem to get stuck in some browsers and we're stumped other than waiting for them to expire which sucks for users.

What we tried

Initially our config was blank (as below) for all sites. This triggered the problems. As I understand it, we need to set the domain explicitly for all sites to ".site.com" so only one cookie can exist with that name/domain.

Does that resolve Magento's issue of not knowing which "frontend" cookie is the correct one — or is there a preferred config?

The Question

What is the correct cookie config in Magento's admin for a multi-domain setup?

See: "System > Config > Web > Session Cookie Management"

Magento cookie config

Best Answer

We had to do something similar recently:

Cookie Path: /
Cookie Domain: .site.com

That did the trick in our case.

Related Solutions

Magento – Sharing Sessions Between Stores with Different Domains

You can share frontend cookie between magento website with different domains using that solution ainixon.me/set-cookie-on-cross-domains.

You need to create cookies.php file with the following code

<?php
    setcookie("frontend", htmlspecialchars($_GET['SID']), time() + 86400);
?>

and in magento template you will need to add following code after the <body> tag

<?php 
$this_session_id = Mage::getSingleton('core/session', array('name' => 'frontend'))->getSessionId(); 
?>
<!-- setting cookies to other domains --> 
<img src="http://anotherdomain.com/cookies.php?SID=<?php echo $this_session_id; ?>" style="display:none;" />
<img src="http://somedomain.ne/cookies.php?SID=<?php echo $this_session_id; ?>" style="display:none;" /> 
<!-- setting cookies to others domains ends -->

Magento – Cookie Issue on Multistore Installation

You write in your question:

they face the issue that they can't login and no error message is displayed

This is a good indicator that you have a cookie issue. This error pattern is just that the login was successful for Magento (username and password did match) but there is no session to keep the successful login. Hence the login page is displayed again with no error message.

My research leads me to believe that this is a cookie problem, stemming from the fact that the example.com cookie is set, and then causes problems when the user is redirected to sub.example.com

You're pretty close, here is what happens.

You have not specified a cookie-domain for both sites.
Not specifying a cookie-domain means, the browser when it receives a cookie will file it under the domain of the request.
The login will then set the session ID to example.com. In that session the user is logged in.
After redirect a new session ID will be set to sub.example.com. In that new session the user is not logged in.
If the browser requests a page under sub.example.com then, it needs to decide which of the two same-named cookies for the session is to be taken: The one for example.com or the one for sub.example.com? And if both in which order? Answer: You can't say as browsers vary here.
And not only the browser, also the server needs to decide here. So what happens here? Answer: For PHP, it can't handle two cookie values with the same name. It only takes the first one. And which one that is, you can't say (see browsers).
So this is already flawed. No wonder it won't work until you start fresh and remove existing cookies under both domains.

This is what you experienced and hopefully the listing sheds some light.

So how to handle this in your case?

My suggestion would be to configure the cookie domains as "example.com" for all the two sites in your case. That means that both sites will share their session which I assume is what you're looking for.

Not setting the cookie-domain in the first place was causing you the trouble then as this resulted in two different cookie domains, but you want to share the session cookie, so you want one session cookie and not two.

Also: Set the cookie to HTTP only so it can't be spoofed in a browser-script.

Changes in your configuration:

Cookie domain: example.com (was: (empty))
Use HTTP only: Yes (was: No)