I have a website which uses wildcard subdomains. The subdomains can be anything, but a subdomain is always there (by default it's "www"). I want to be authenticated in every subdomain when I login.
When I authenticate in abc.example.com the JSESSIONID cookie is placed in abc.example.com. If I go to xyz.example.com then it doesn't find the cookie, so I'm logged out. I also use remember me function, that should work too.
What I tried so far is:
Could someone point me to the right direction?
I had to place the remember-me cookie in the top domain. Done by setting cookie domain and disabling request cache:
String rememberMeCookieDomain = ".mydomain.com"
http.rememberMe().rememberMeCookieDomain(remembermeCookieDomain).rememberMeCookieName(REMEMBERME_COOKIE_NAME).tokenRepository(tokenRepository()).tokenValiditySeconds(4 * SECONDS_IN_WEEK);
The trailing "." is necessary in the cookie domain to allow subdomains to access the top level cookie. If you use tomcat you have to turn on legacy cookie processor for this to work:
How to change Cookie Processor to LegacyCookieProcessor in tomcat 8