Share sessions across subdomains
Overview
Configure sharing sessions across multiple subdomains in SuperTokens by setting the sessionTokenFrontendDomain attribute of the Session recipe in your frontend code.
- Your app has two subdomains
abc.example.comandxyz.example.com. Assume that the user logs in viaexample.com - To enable sharing sessions across
example.com,abc.example.comandxyz.example.com, set thesessionTokenFrontendDomainattribute to.example.com.
Steps
1. Update the frontend configuration
What type of UI are you using?
import SuperTokens from "supertokens-auth-react";
import Session from "supertokens-auth-react/recipe/session";
SuperTokens.init({
appInfo: {
// ...
// this should be equal to the domain where the user will see the login UI
apiDomain: "...",
appName: "...",
websiteDomain: "https://example.com"
},
recipeList: [
Session.init({
sessionTokenFrontendDomain: ".example.com"
})
]
});
- Do not set
sessionTokenFrontendDomainto a value that's in the public suffix list (Search for your value without the leading dot). Otherwise, session management does not work. - Do not set
sessionTokenFrontendDomainto.localhostor an IP address based domain with a leading.since browsers reject these cookies. For local development, you should configure your machine to use alias forlocalhost.
If each tenant belongs to one subdomain, and a user has access to more than one tenant, the tenant ID in the session is always the one from which they logged in.
For example, if a user has access to tenant t1.example.com and t2.example.com, and they logged in via t1.example.com, then the tenant ID in the session is always t1. This remains true even if they navigate to t2.example.com or make an API request from t2.example.com.
To solve this, add extra information about access token payload containing a list of all the tenants that the user has access to. Then read from that list instead of the tId claim.