Thanks! Will test now. In case of nextJS, do I need to add the same recipe for node-js or only on react will do?

you can continue using the same recipe you are using right now

Have a look at this link: https://supertokens.io/recipe-redirect?to=/common-customizations/sessions/share-sessions-across-sub-domains You can ignore the previous one..

I have tested here and put live, but it didn't work. When I go to the subdomain it asks for a new login.

Can you share the frontend config + an example of the a sub domain being used?

Front-end config:

export const frontendConfig = () => {
  return {
    useReactRouterDom: false,
    appInfo,
    recipeList: [
      Session.init({
        sessionScope: ".offscript.io",
      }),
      ThirdPartyEmailPasswordReact.init({
        signInAndUpFeature: {
          providers: [
            ThirdPartyEmailPasswordReact.Google.init(),
            ThirdPartyEmailPasswordReact.Facebook.init(),
          ],
      }),
      SessionReact.init(),
    ],
  }
}

Also appinfo is:

const appInfo = {
  appName: "Off Script",
  apiDomain: websiteDomain,
  websiteDomain,
  apiBasePath: "/api/auth/",
}

WebsiteDomain is

my.offscript.io

and

offscript.io

according to the domain.

set the websiteDOmain to always be

offscript.io

when I did that, the subdomains could not login, that's why I kept different. It threw a CORS error

Ah. You should keep it to offscript.io, and what the CORS error?

Let me replicate here from the test environment as this is not live for now

Here is one saved from before:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://my.offscript.io/api/auth/signin. (Reason: CORS request did not succeed).

So if you change websiteDOmain to

offscript.io

, the API call will go to

https://offscript.io/api/auth/signin

. The login screen is shown on

offscript.io

only right?

The API call goes to the subdomain in this case, and the login screen is shown in the subdomain as well. Is that the resason? We can only login/call in one place?

Ahh. ok. I thought the login screen is only on offscript.io

so is it true that you can login with offscript.io & access offscript.io and my.offscript.io AND You can login via my.offscript.io and get access to offscript.io and my.offscript.io?

or am i mis understanding the scenario?

Yes, that would be the ideal scenario!

ok wow.. i will have to think about that. give me sometime please.

may require an additional param change from our side.

Why do you have this scenario though - why not make all users just log in via offscript.io?

Basically because the home page of the subdomains redirect the user to

/auth/

as they are private pages. But I can try to redirect them to the main website and then back, I'll give it a try.

Ok, in a few moments testing it out

So the root problem is that our redirection post login ignores the domain from where the user came from. We ignore it cause of a phishing attacks where an attacker can form a malicious link redirecting a user back to their login. But perhaps we can change it to not ignore the domain if the top level domain of the source is the same - this way, it would just work for you.. what do you think of this?

Actually, I managed to make it work. I did what you said, but in the subdomains I redirect the user to the main page login.

With a /redirect parameter in the URL back

that did the trick

Thanks a lot!

Cool! So is there any change u require from our side?

Actually the verify thing might be necessary, doing more tests, it seems to work in one browser, but not safari