Enable Cross-Domain Login with Memberstack

Article author
Josh Lopez

Cross-domain login allows your members to stay logged in as they navigate between your different domains and subdomains that have Memberstack installed. This creates a seamless experience where users don't need to repeatedly log in when moving between your websites.

Important: Cross-domain login works for sites that share the same root domain (e.g., yoursite.com and app.yoursite.com). It does not support completely different domains (e.g., yoursite.com and yourothersite.com).

How Cross-Domain Login Works

By default, Memberstack uses browser localStorage for authentication, which is domain-specific and cannot be shared between different domains or subdomains. Cross-domain login works by:

  1. Switching from localStorage to cookies for authentication
  2. Setting those cookies on the root domain so they're accessible to all subdomains
  3. Using secure, HTTP-only cookies to maintain the authentication state

Prerequisites

Before enabling cross-domain login, ensure you have:

  1. Custom Domains configured in your Memberstack settings
  2. SSL certificates (https) for all domains where Memberstack is installed
  3. The same Memberstack account and App ID used across all sites

Warning: If you don't set up Custom Domains correctly in Memberstack settings first, cross-domain login will not work properly.

Implementation Guide

Option 1: Standard Memberstack Installation

Add the following code above your existing Memberstack installation script on all websites where you want cross-domain login:

<script>
const memberstackConfig = {
  useCookies: true,
  setCookieOnRootDomain: true
}
</script>

Example of complete implementation:

<!-- Step 1: Add the configuration script FIRST --
<script>
const memberstackConfig = {
  useCookies: true,
  setCookieOnRootDomain: true
}
</script>

<!-- Step 2: Keep your existing Memberstack installation script --
<script data-memberstack-app="YOUR_APP_ID_HERE" src="https://static.memberstack.com/scripts/v1/memberstack.js"></script>

Option 2: DOM Package Implementation

If you're using the Memberstack DOM package, add the configuration options to your init function:

memberstackDom.init({
  publicKey: "YOUR_PUBLIC_KEY",
  useCookies: true,
  setCookieOnRootDomain: true
  // other options...
})

Testing Cross-Domain Login

After implementation, follow these steps to verify cross-domain login is working:

  1. Open your main domain (e.g., yoursite.com) in a browser
  2. Log in with a test account
  3. In the same browser, open your subdomain (e.g., app.yoursite.com)
  4. Verify you're automatically logged in
  5. Check browser cookies to confirm _ms_cookie and _ms_mid are set for .yoursite.com (note the leading dot)

Troubleshooting Cross-Domain Login

Based on customer feedback, these are the most common issues customers encounter with cross-domain login:

Login Not Persisting Between Domains

  1. Check Custom Domains: Verify you've added all domains in Memberstack's Custom Domains settings
  2. Verify Cookie Settings: Open browser dev tools and check that _ms_mid cookie is set for the root domain (.yoursite.com) with the leading dot
  3. Check Script Order: The memberstackConfig script must appear before the Memberstack installation script
  4. Verify HTTPS: All domains must use HTTPS for secure cookies to work properly

Social Login Not Working with Cross-Domain

When implementing cross-domain login, social authentication (like Google, Facebook) may encounter issues due to cookie settings and redirects.

  1. Ensure SameSite cookie attributes are properly set
  2. Check that redirect URIs in your social provider settings match your domains
  3. For mobile-specific issues (especially Android), ensure proper handling of redirects

Logout Not Working Properly

If logging out doesn't work consistently across domains:

  1. Make sure the logout function is called with the proper context
  2. After logging out, verify all Memberstack cookies are being removed
  3. Use await window.$memberstackDom.logout() to ensure proper logout

Browser-Specific Issues

Different browsers handle cookies differently:

  • Safari has stricter tracking prevention which can affect cross-domain cookies
  • Mobile browsers may have different cookie policies
  • If testing in incognito/private mode, some cookie features may be restricted

FAQ

Can I use cross-domain login between completely different domains?

No, cross-domain login is designed for domains sharing the same root domain (e.g., yoursite.com and app.yoursite.com). For completely different domains, users will need to log in separately on each site.

Can I set different redirect URLs for each domain?

Yes, but this requires using form-level redirects according to Memberstack's redirect hierarchy. Since there are no domain-specific redirect settings, you need to configure redirects on the forms placed on each domain:

Redirect Hierarchy in Memberstack:

  1. Default redirects: Affects all members on your site
  2. Plan-level redirects: Overrides default redirects for specific plans
  3. Member-level redirects: Customized for individual members
  4. Form-level redirects: Highest priority, set on specific forms

To achieve domain-specific redirects:

  • For yoursite.com: Add form-level redirects to forms on this domain (e.g., /dashboard)
  • For app.yoursite.com: Add different form-level redirects to forms on this domain (e.g., /app-dashboard)

Note that all redirects must be relative links. You cannot redirect to another website or subdomain after signup, login, checkout, or logout.

For most projects, we recommend using default and plan-level redirects for simplicity, unless you specifically need different behavior on different domains.

Will this affect my website's security?

Cross-domain login uses secure HTTP-only cookies, which are a standard security practice. However, ensure all domains use HTTPS to maintain security, as cookies with the secure flag will only work on HTTPS sites.

How does this affect GDPR compliance?

If you're using cookie consent banners or GDPR compliance tools, you may need to whitelist Memberstack cookies. See our GDPR/CCPA cookie documentation for more details.

Technical Details for Developers

For those implementing custom solutions or troubleshooting advanced issues:

  • Cross-domain login sets the following cookies on the root domain:
    • _ms_mid: Member ID token
    • _ms_cookie: Authentication session cookie
  • These cookies are HTTP-only and secure to prevent client-side JavaScript access
  • Cookie max-age is set to maintain session for extended periods
  • The SameSite attribute is set to ensure proper cross-subdomain functionality

Was this article helpful?

Comments

21 comments

  • Comment author
    Suhail Razzak

    Josh Lopez when will this be available in the memberstack/dom package? thanks.

    0
  • Comment author
    Josh Lopez

    Hey Suhail Razzak 👋

    It is available now! In the init function you would need to add two additional properties like:

     memberstackDom.init({
        ...
        useCookies: true
        setCookieOnRoot: true
    })
    -1
  • Comment author
    Suhail Razzak

    Thank you! Will check it out 👍

    0
  • Comment author
    Antoine Charrier

    Hello I'm almost there thanks for this feature, but now I want to GATE the entire subdomain. How to do it please ?

     

    1
  • Comment author
    Artem Avramenko

    When I add the script I get "Access blocked: This app's request is invalid" error when using Google SSO. Also website becomes not secure in the browser.

    I think this is because I have a reverse proxy and it breaks something. 
    (Custom domain was set up correctly and it works just fine)

     
    0
  • Comment author
    Jon Worek

    Hi Josh. Thanks for putting together this guide. Have you tested this with the React package? https://developers.memberstack.com/docs/react-package#memberstack-provider

    I might have expected that you could pass in the same two config options as you would to memberstackDom:

    memberstackDom.init({
        ...
        useCookies: true
        setCookieOnRoot: true
    })

    when initializing the <MemberstackProvider config={config}/> but it doesn't seem to have an effect. The `_ms-mid` cookie is still getting written for the subdomain, and not the root domain.

    2
  • Comment author
    Simran Sidhanti

    Hey, I have set up custom domains for our site but for some reason the production webflow site, is now not able to retain it's login state. As soon as I login, it logs me out. i.e the logout button is not visible anymore and _ms_member cookie is also gone. Used to not happen before setting up custom domain and doesn't happen on staging site either.

    0
  • Comment author
    Josh Lopez

    Hey Simran Sidhanti

    I haven't seen this come up. What is your url so i can take a look?

    0
  • Comment author
    Simran Sidhanti

    https://www2.microburbs.com.au/memberstack/memberstack

    https://microburbsstaging.webflow.io/memberstack/memberstack

    Hey Josh Lopez this is the production and staging webflow url. I am just testing the MS login system so ignore the design.

    0
  • Comment author
    Josh Lopez

    Simran Sidhanti

    It looks like you found something we didnt account for! We just updated the code and you should be good to go now. I just tested and its working for me.

    0
  • Comment author
    Simran Sidhanti

    Josh Lopez

    Hey Josh. Thanks for the quick fix, the cross domain login is working well now. But the logout functionality has stopped working now. Whenever I click the logout button, it still keeps the user logged in. If you could have a look at that, that would be great. Cheers

    0
  • Comment author
    Josh Lopez

    Simran Sidhanti

    I just took a look and i didnt see a logout button. I did use await window.$memberstackDom.logout() in the console and was able to logout so it should work if a logout button is added because thats the code it uses.

    0
  • Comment author
    Simran Sidhanti

    Josh Lopez

    There's a logout button at the bottom right. And even though you using your await window.$memberstackDom.logout() code says it's logged out, the logout button still remains there which gets hidden if the user is actually logged out.

    https://cdn.discordapp.com/attachments/912694468031950868/1192358469991420005/image.png

    You can also confirm that by looking at the ms_member key in the local storage. Which is absent when logged out. If you wanna confirm logged out button gets hidden upon logging out, you can check our staging site on which it gets removed. But in custom domain one, it immediately logs you back in.

     

    0
  • Comment author
    Josh Lopez

    We just released a fix for this! Everything should be good to go now! :)

    0
  • Comment author
    brian lee

    I seem to understand that cross chain is only for subdomain of the same root...for true cross chain retaining the sign in.

    we are trying to build a media content network of multiple brands but seamlessly have the same paid member user base have access to the all te paid content across our brands.

    Can I use the same memberstack account for membership sign up form and login pages on multiple websites techincally without cross chain semaless? Like each ones requires independent logins and i create the individual plans and gated access for each?
    i.e.
    abc.com > user sign up/sign in > free plan abc > gain access permission to gated bonus content on abc.com
    abc.com > user sign up/sign in > paid members plan > gain access permission to both free gated bonus content > also gain access to exclusive paid only content for abc.com

    I install same account code to site def.com.  The user has to login in separately and can not go back and forth between abd.com and def.com logged in to both seamlessly.
    def.com > user sign up/sign in > free plan def > gain access permission to squarespace membersite gated bonus content on def.com
    def.com > user sign up/sign in > paid members plan A > gain access permission to gated free bonus content > also gain access to gated exclusive paid only content for def.com

    So can members can get access to either site like that?

    0
  • Comment author
    Minh Lê

    Hi, I have a question:

    What if a user logs into subdomain1.yoursite.com, then goes to subdomain2.yoursite.com, will the user still be logged in over there?

    0
  • Comment author
    Josh McGuire

    I have domains currently hosted on heroku and have CNAME records that point from my sub domain the the heroku domain. I am unable to add another CNAM record for my sub domain. Any help would be greatly appreciated. I have spent days on this problem and have not been able to find a solution.

    0
  • Comment author
    Yoav Schwartz

    Hi, 

    my 2 subdomains are as follows:

    subdomain1 (where users create their account) is NextJs where I've adjusted layout.tsx to include these variables:

    <MemberstackProvider config={{
              publicKey: process.env.NEXT_PUBLIC_MEMBERSTACK_PUBLIC_KEY as string,
            useCookies: true,
              setCookieOnRootDomain: true
            }}>

    subdomain2 is a Circle.so community. Since i'm using Cloudflare, I attempted to add the javascript snippet through Zaraz (which should add it to the head via proxy)

    Needless to say it's not working. When my users create an account on subdomain1, i redirecto them to circle's auth login (on subdomain2) which routes them to the Memberstack hosted auth page (also on my subdomain)

    So everything is on the same domain. My expectation is at most the user will just have to "authorize" the connection between MS and Circle but not have to log in again.

    thanks for your help!


    0
  • Comment author
    Minh Lê

    Yoav Schwartz On the subdomain2, did you install the script with the data-memberstack-use-cookies attribute?

    ```
    <script data-memberstack-app="APP_ID_HERE" data-memberstack-use-cookies src="https://static.memberstack.com...." type="text/javascript"></script>
    ```

    Because if not then the subdomain2 might still be using localStorage for session detection.

    More information on this: https://docs.memberstack.com/hc/en-us/articles/14958076984347-Override-Memberstack-to-use-cookies-instead-of-local-storage

     

    0
  • Comment author
    Yoav Schwartz

    subdomain2 is hosted by circle.so, where i have SSO with Memberstack enabled,  which means it must already have memberstack installed.

    So the script i have injected with Zaraz (Cloudflare) is:

    <script id="ZarazMemberstack">
    const memberstackConfig = {
    useCookies: true,
    setCookieOnRootDomain: true
    }
    </script>

    i just tried adding the installation script itself with the suggested data attribute, but that didn't work either. Once the user hits subdomain2 (circle.so) they get redirected to auth (subdomain3)

    0
  • Comment author
    Mauro Arancibia

    Is possible to have a separate login redirect for each specific website? For example:

    Users sign ups on abc.com > redirected to abc.com/dashboard
    User signs up on pro.abc.com > redirected to pro.abc.com/dashboard

    I want in both sign ups to be assigned the same plan id.

    0

Please sign in to leave a comment.