Multi domain and backend cookie


My problem concern a multisite installation, each website with it’s own domain. Let’s suppose that 2 domains : > primary website, in french > english version

My theme use BackendAuth::check() method to display some elements only to connected administrators.

It works well for the primary website, but when I use the sitePicker component to switch language to go to the english version, BackendAuth::check() return false and so, all content exclusive to administrators disappaear.

Is there a way to “share” the backend login cookie between the different domains of my mulsite installation ? If yes, how ?

Thank you for your help

Hi Dorian,

It is a good question. Unfortunately, browsers won’t allow cookies to be shared across distinct domains.

One strategy you can use is to include a JWT token with the links from Site A to Site B, and this would prove ownership of the account and allow the cookie to be duplicated. It is a theoretical idea and would require custom authentication code between the sites.

I shouldn’t take it for granted that you understand the security risks involved. You should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc).

Since it is only a backend administrator account, it would make sense for the backend to redirect to a primary domain, and then this problem disappears.

You can implement this by opening the app/Provider.php file and including the following code in the boot method.

public function boot()

    if (\App::runningInBackend()) {

I hope this helps.

Hello daft,

Thank you for your answer. By looking in config files to find a solution, I found an option SESSION_DOMAIN in session.php. By reading the description, it seems to handle that kind of case :

Here you may change the domain of the cookie used to identify a session in your application. This will determine which domains the cookie is available to in your application. A sensible default has been set.

But I don’t know how to use it, am I wrong ?

Best regards,

If I’m not wrong, this can be use if you have subdomain. For example:

but not for different domain (,