Sitecore 9.1 uses the Owin authentication mechanism, in the earlier versions it uses the .Net legacy form authentication mechanism.
To enable the virtual login the below steps are followed.
Inherited DefaultCookieAuthenticationOptions and passed the domain and other required properties in the constructor.
public class CustomCookieAuthenticationOptions : DefaultCookieAuthenticationOptions
public CustomCookieAuthenticationOptions(DefaultCookieAuthenticationProvider provider, ICookieManager cookieManager, AuthenticationTypeResolver authenticationTypeResolver)
: base(provider, cookieManager, authenticationTypeResolver)
CookieDomain = ".x.com";
//Based on your requirement you can set the remaining properties
//CookieSecure = Microsoft.Owin.Security.Cookies.CookieSecureOption.Never;
Injected the above class based on the sample given in the Sitecore document (https://doc.sitecore.com/developers/91/sitecore-experience-management/en/dependency-injection.html)
public class MyServicesConfigurator : IServicesConfigurator
public void Configure(IServiceCollection serviceCollection)
<configurator type= "Test.MyServicesConfigurator, Test.Poc"/>
After the above changes, it sets the cookie at x.com but CORS still failed. I mean when I login from abc.x.com and try to access the page from the domain xyz.x.com, I am not able to access the Sitecore context set in abc.x.com. [Though both the sites are published from same Sitecore instance].
When further analyzing the issue, looks like the “ASP.NET_SessionId” needs to be at parent domain level i.e. x.com level [to share the similar Sitecore session between abc.x.com and xyz.x.com]. So updated the Web.config [Sitecore instance] as below.
<httpCookies httpOnlyCookies="true" requireSSL="false" domain=".x.com" />
Now when I login from abc.x.com, all the Sitecore cookies are set at x.com including the “ASP.NET_SessionId”. So my Sitecore context built in abc.x.com is accessible in xyz.x.com and this is what I expected.