Every month or so, someone asks me why they have to log in again on multiple domains on WordPress. That is to say, they’re using Multisite and they log in to example.com and then they have to log in again on sub.example.com and this is weird.
The answer is due to cross-domain browser protection. This is not to say you can’t do it! If you’re just using subdomains, this is really easy:
define( 'COOKIE_DOMAIN', 'example.com' );
define( 'ADMIN_COOKIE_PATH', '/' );
define( 'COOKIEPATH', '/' );
define( 'SITECOOKIEPATH', '/' );
define( 'COOKIEHASH', md5('http://example.com') );
The last one is just to prevent conflicts with other sites you may have on example.com that aren’t WordPress related. Or maybe are, but are a separate install for whatever reason.
But if you’ve read my older posts, you know my COOKIE_DOMAIN is set like this:
define( 'COOKIE_DOMAIN', $_SERVER[ 'HTTP_HOST' ] );
That’s because I’m mapping domains without a plugin to handle that for me. And that means I have to log in separately to halfelf.org and ipstenu.org and it sucks.
Like I said before, this is called cross-domain browser protection. You can’t use a cookie on multiple sites, even with integrated logins, with different domains.
Point in case. The exact same user ID/Password I use on wordpress.org is used on buddypress.org and bbpress.org and I have to log in to each site separately.
Why? To stop evil people from being evil. Can you imagine what would happen if someone sorted out your cookie hash and was able to let your login work on their sites? That would introduce new levels of phishing scam hells because you would be able to go to fake-paypal.com and your paypal.com login would just magically log you in.
So at this point it looks like you can’t have your cookies magically work for multiple domains and automagically log you in to them without interaction. But you’re safer this way. But what if you could?
$cookiehash = md5("http://www.example.com/");
define('COOKIE_DOMAIN', false);
define('COOKIEPATH', '/');
define('SITECOOKIEPATH', '/');
define('ADMIN_COOKIE_PATH', '/');
define('COOKIEHASH', $cookiehash );
Notice how I changed the COOKIE_DOMAIN? Without it being defined, it doesn’t restrict the cookie to one domain. The HASH will protect you ‘enough’ and you should be able to log in on all domains on your network.
Mind, I don’t do that. It doesn’t work reliably in my experience, which makes sense. It’s just not as safe.
Comments
4 responses to “Multiple Domains, Multiple Logins”
Someone needs to make an easy to use oAuth system that we can use across our sites. Then you could just log in much like you do with Google or Facebook authentication on various sites. Just click a button, it takes you to the other site, grabs an authentication token, then drags that back to the original site once you’ve approved it and logs you in automagically. There’s no reason we can’t do the same thing in a self-hosted format within WordPress.
I’m not building it, but I’m hoping someone else will π
AFAIK, cross domain cookies by setting that to false is not possible. Browsers don’t work that way.
But, I might be missing something. Nevertheless, it can be done, it’s just a pain involving redirection or iframes or all other sorts of weirdness.
@Otto: It worked on ONE site of the ten I tried and someone else swears it works on theirs. I don’t know what magic I pulled out to get it there. I’ve never duplicated it. I’m sure I broke a law or six in the making.
One thing that you can do, is to use sub-folders for your admin panel, and map all your domains on the front end. That allows you to stay logged into the backend despite editing a mapped domain which you are not logged into.
I did this on my old setup, but ended up switching to mapping my backend too, as it makes rewriting URLs a royal PITA (you need to handle the sub-folders as well as the mapped domains), plus it means I’m not logged into my own site when commenting on the frontend.