diff --git a/apps/csms/src/lib/auth.ts b/apps/csms/src/lib/auth.ts
index 8dcbcb8..48a2cf0 100644
--- a/apps/csms/src/lib/auth.ts
+++ b/apps/csms/src/lib/auth.ts
@@ -8,6 +8,16 @@ import { passkey } from "@better-auth/passkey";
 const webOrigin = process.env.WEB_ORIGIN ?? "http://localhost:3000";
 const rpID = new URL(webOrigin).hostname;
 
+// 从 WEB_ORIGIN 的主机名推导父域（如 csms.uniiem.com → .uniiem.com），
+// 用于跨子域共享 session cookie；本地开发时返回 undefined 不启用。
+function getParentDomain(hostname: string): string | undefined {
+  if (hostname === "localhost" || /^\d/.test(hostname)) return undefined;
+  const parts = hostname.split(".");
+  return parts.length >= 3 ? "." + parts.slice(1).join(".") : undefined;
+}
+
+const cookieDomain = process.env.COOKIE_DOMAIN ?? getParentDomain(rpID);
+
 export const auth = betterAuth({
   database: drizzleAdapter(useDrizzle(), {
     provider: "pg",
@@ -35,8 +45,8 @@ export const auth = betterAuth({
   ],
   advanced: {
     cookiePrefix: "helios_auth",
-    crossSubdomainCookies: process.env.COOKIE_DOMAIN
-      ? { enabled: true, domain: process.env.COOKIE_DOMAIN }
+    crossSubdomainCookies: cookieDomain
+      ? { enabled: true, domain: cookieDomain }
       : { enabled: false },
   },
 });