Share sessions across sub domains
Sharing sessions across multiple sub domains in SuperTokens can be configured by setting the sessionTokenFrontendDomain
attribute of the Session recipe in your frontend code.
Example:
- Your app has two subdomains
abc.example.com
andxyz.example.com
. We assume that the user logs in viaexample.com
- To enable sharing sessions across
example.com
,abc.example.com
andxyz.example.com
thesessionTokenFrontendDomain
attribute must be set to.example.com
.
- ReactJS
- Angular
- Vue
Important
supertokens-auth-react
SDK and will inject the React components to show the UI. Therefore, the code snippet below refers to the supertokens-auth-react
SDK.import SuperTokens from "supertokens-auth-react";
import Session from "supertokens-auth-react/recipe/session";
SuperTokens.init({
appInfo: {
// ...
// this should be equal to the domain where the user will see the login UI
apiDomain: "...",
appName: "...",
websiteDomain: "https://example.com"
},
recipeList: [
Session.init({
sessionTokenFrontendDomain: ".example.com"
})
]
});
Important
supertokens-auth-react
SDK and will inject the React components to show the UI. Therefore, the code snippet below refers to the supertokens-auth-react
SDK.import SuperTokens from "supertokens-auth-react";
import Session from "supertokens-auth-react/recipe/session";
SuperTokens.init({
appInfo: {
// ...
// this should be equal to the domain where the user will see the login UI
apiDomain: "...",
appName: "...",
websiteDomain: "https://example.com"
},
recipeList: [
Session.init({
sessionTokenFrontendDomain: ".example.com"
})
]
});
import SuperTokens from "supertokens-auth-react";
import Session from "supertokens-auth-react/recipe/session";
SuperTokens.init({
appInfo: {
// ...
// this should be equal to the domain where the user will see the login UI
apiDomain: "...",
appName: "...",
websiteDomain: "https://example.com"
},
recipeList: [
Session.init({
sessionTokenFrontendDomain: ".example.com"
})
]
});
caution
- Do not set
sessionTokenFrontendDomain
to a value that's in the public suffix list (Search for your value without the leading dot). Otherwise session management will not work. - Do not set
sessionTokenFrontendDomain
to.localhost
or an IP address based domain with a leading.
since browsers will reject these cookies. For local development, you should configure your machine to use alias forlocalhost
.
Multi Tenancy
In case you have a setup where each tenant belongs to one sub domain, and if a user has access to more than one tenant, the tenant ID as seen in the session will always be the one from which they logged into.
For example, if you a user has access to tenant t1.example.com
and t2.example.com
, and they logged in via t1.example.com
, then the tenant ID in the session will always be t1
even if they navigate to t2.example.com
, or make an API request from t2.example.com
.
To solve this, you can add extra information about access token payload containing a list of all the tenants that the user has access to, and then read from that list instead of the tId
claim.