Different Domains in Multisite Setup
https://wordpress.stackexchange.com/questions/333437
-
15-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using WordPress multisite setup to set the following structure
example.com
sub1.examples.com
example.net
Note that this is a single multisite setup, but it has two main domains and a subdomain.
I followed the steps described here to perform the setup.
Then, after adding example.net to the sites list, I tried to go to its dashboard in the admin section. Once I did that, I was presented with a login screen. When I try to login, I receive the following error
ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.
After further investigation, I found this answer, which suggests adding define('COOKIE_DOMAIN', $_SERVER['HTTP_HOST']); to wp-config.php. I did that, and now things worked. I was able to login to the site example.net, but with a caveat.
The new problem is described as follows. Assuming I am in the WordPress backend, logged in to example.com, and I try to go to example.net. Once I do, I am presented with the login screen again to login to example.net. I would not get that login screen if I go to sub1.example.com from example.com.
I have the following questions:
Why is this happening? In other words, why am I presented with a new login screen every time I try to switch between
example.comandexample.net?How can I prevent this from happeneing? I does not seem right. It looks like this is not a good solution to the problem. There might be another better way to fix this login issue.
What does
define('COOKIE_DOMAIN', $_SERVER['HTTP_HOST']);actually do?
Thanks.
Solution
When you log in, WordPress sets a cookie in your browser to mark you as authenticated. The COOKIE_DOMAIN sets the scope of this:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
i.e. the browser will only send the cookie back to sites that match its scope. i.e.
- if you log into example.com, WordPress will give you a 'wordpress_logged_in' cookie scoped to example.com.
- if you go to sub1.example.com, then this matches the example.com scope and so your browser will send the wordpress_logged_in cookie.
- if you go to example.net, this is out of scope for the example.com wordpress_logged_in cookie and so it is not sent to example.net.
How to make this work? You need a mechanism where example.net will make a request to example.com as part of the login process (or in the background when you visit the site) to check if you're logged in there, and if so the sites exchange a signed token which will authenticate you to example.net and so it can set a logged in cookie for you. StackExchange, for example, have a separate domain stackauth.com for just that. Or trigger this at login time one example.com so it calls out to example.net at the same time to set cookies there. Or delegate the login to example.com so you just have to click the login button on example.net and it'll redirect to example.com, find that you're signed in there and redirect you back to a 'authenticate me here too' endpoint on example.net with a signed token - so you do still have to click 'login' but not enter your credentials again.
There are plugins that exist to solve this, e.g. WP Multisite SSO. I haven't tried it myself and so can't recommend it. It would be an interesting problem to code up yourself, but it's going to be a fair amount of work!
