Sitecore access Page Editor with user from another domain

Question

I am trying to access the Page Editor of a website inside my solution while logged onto PE of another website in the same Sitecore solution. I'm doing that by writing the URL of the site I'm trying to reach followed by "/?sc_mode=edit". My problem is that I'm redirected to the Sitecore login page. The two websites have different security domains. This only started occurring after upgrading our solution from Sitecore 6.5 to Sitecore version 7.1 Is this a change in the Sitecore behaviour, or are there any settings that I'm neglecting for allowing such behaviour? I would like to access the other site's PE without having to authenticate myself again.

Update

For clarity, I'm adding more details on the specific functionality that I'm trying to fix: we have a custom status bar on our website's PE that allows the user to select another site from the solution and navigate to its PE. The code for achieving this is implemented inside a layout file in /sitecore/admin, called AutoLogin.aspx
Each time the user selects another option from the drop down selector he is redirected via JavaScript to the AutoLogin script on the domain he chose. Here is the code for AutoLogin:

<%@ Page Language="C#" AutoEventWireup="true" %>

<%@ Import Namespace="Sitecore" %>
<%@ Import Namespace="Sitecore.Data" %>
<%@ Import Namespace="Sitecore.Data.Items" %>
<%@ Import Namespace="Sitecore.Data.Fields" %>
<%@ Import Namespace="Sitecore.Globalization" %>
<%@ Import Namespace="Sitecore.Configuration" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
<title>Auto Login</title>
<script runat="server" type="text/C#">

    protected void Page_Load(object sender, EventArgs e)
    {
        var user=HttpContext.Current.Server.UrlDecode(Request["user"]);
        Sitecore.Web.Authentication.DomainAccessGuard.Kick(Session.SessionID);
        if (Sitecore.Security.Authentication.AuthenticationManager.Login(user))
        {
            Response.Redirect("/sitecore/shell/applications/webedit.aspx");
        }
        else
        {
            Response.Write("Invalid username.");
        }   
    }

</script>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        Auto login in Page Editor
    </div> 
    </form>
</body>
</html>

The AutoLogin script kicks the user from the session and tries logging him inside the new domain. This seems sound in theory but it doesn't seem to work in practice. For some reason, after kicking the user (and before logging back in) the Sitecore.Context.User.Name variable is still set to the username that was logged in before the Kick command was called.

Answer 1

Sitecore CMS user authentication depends on client cookies. The browser associates cookies with hostnames. If a CMS user authenticates against cms.domain.tld, unless you take steps to associate the authentication cookie with the domain (domain.tld) instead of the subdomain (cms.domain.tld), the browser will not send the cookie in HTTP requests for domain.tld or other subdomains such as en.domain.tld, and mobile.domain.tld.

Additionally, when a user invokes a command that opens a new browser windows for Preview or the Page Editor, Sitecore uses the current hostname, which is the hostname against which the user authenticated (cms.domain.tld). This may be good for authentication cookies, but you might need to configure managed sites in the CMS environment to use paths for site resolution instead of using hostnames. You can implement a processor in the httpRequestBegin pipeline to override the default SiteResolver, for example to determine the context site from the path in the requested URL rather than the hostname. Such a solution could iterate the managed sites to determine which has a path that matches that of the requested item, potentially based on existing logic that applies the Rendering.SiteResolving setting. Such an effort is not specific to cookies and hostnames and is therefore beyond the scope of this post. If someone requests such an example of this approach, and maybe even if nobody does, I may try to implement something.

I know the cookies also in 6.6 is domain dependendat. On Sitecore 6.5 I don't know exactly how was it.

You can find more here: