Index: t3lib/config_default.php
===================================================================
--- t3lib/config_default.php	(revision 8607)
+++ t3lib/config_default.php	(working copy)
@@ -60,7 +60,7 @@
 		'sitename' => 'TYPO3',					// Name of the base-site. This title shows up in the root of the tree structure if you're an 'admin' backend user.
 		'compat_version' => '3.8',				// Compatibility version. TYPO3 behavior will try to be compatible with the output from the TYPO3 version set here. It is recommended to change this setting with the Upgrade Wizard.
 		'encryptionKey' => '',					// This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuild with the new key.
-		'cookieDomain' => '',					// When setting the value to ".example.com" (replace example.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. /\.(example1|example2)\.com$/ or /\.(example1\.com)|(example2\.net)$/
+		'cookieDomain' => '',					// Restricts the domain name for FE and BE session cookies. When setting the value to ".example.com" (replace example.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. /\.(example1|example2)\.com$/ or /\.(example1\.com)|(example2\.net)$/. Separate domains for FE and BE can be set using $TYPO3_CONF_VARS['FE']['cookieDomain'] and $TYPO3_CONF_VARS['BE']['cookieDomain'] respectively.
 		'cookieSecure' => 0,					// Integer (0, 1, 2): Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. If set to 1 (force HTTPS), the cookie will only be set if a secure (HTTPS) connection exists - use this in combination with lockSSL since otherwise the application will fail and throw an exception! If set to 2, the cookie will be set in each case, but uses the secure flag if a secure (HTTPS) connection exists.
 		'cookieHttpOnly' => FALSE,				// Boolean: When enabled the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
 		'doNotCheckReferer' => FALSE,			// Boolean. If set, it's NOT checked numerous places that the refering host is the same as the current. This is an option you should set if you have problems with proxies not passing the HTTP_REFERER variable.
@@ -214,6 +214,7 @@
 		'lockSSL' => 0,							// Integer. 0,1,2,3: If set (1,2,3), the backend can only be operated from an ssl-encrypted connection (https). Set to 2 you will be redirected to the https admin-url supposed to be the http-url, but with https scheme instead. If set to 3, only the login is forced to SSL, then the user switches back to non-SSL-mode
 		'lockSSLPort' => 0,						// Integer. Use a non-standard HTTPS port for lockSSL. Set this value if you use lockSSL and the HTTPS port of your webserver is not 443.
 		'enabledBeUserIPLock' => TRUE,			// Boolean. If set, the User/Group TSconfig option 'option.lockToIP' is enabled.
+		'cookieDomain' => '',					// Same as $TYPO3_CONF_VARS['SYS']['cookieDomain'] but only for BE cookies. If empty, $TYPO3_CONF_VARS['SYS']['cookieDomain'] value will be used.
 		'loginSecurityLevel' => '',				// String. Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text, "challenged" means the password is not sent but hashed with some other values, "superchallenged" (default) means the password is first hashed before being hashed with the challenge values again (means the password is stored as a hashed string in the database also), "rsa" uses RSA password encryption (only if the rsaauth extension is installed). DO NOT CHANGE this value manually; without an alternative authentication service it will only prevent logins in TYPO3 since the "superchallenged" method is hardcoded in the default authentication system.
 		'showRefreshLoginPopup' => FALSE,		// Boolean. If set, the Ajax relogin will show a real popup window for relogin after the count down. Some auth services need this as they add custom validation to the login form. If it's not set, the Ajax relogin will show an inline relogin window.
 		'adminOnly' => 0,						// Integer. -1,0,1,2: If it's a positive integer, only admin users can log into the backend - if it equals "2", regular backend users are allowed in CLI mode. If it's a negative value, the backend and install tool are totally shut down for maintenance purposes.
@@ -325,6 +326,7 @@
 		'sessionDataLifetime' => 86400,			// Integer, positive. If >0, the session data will timeout and be removed after the number of seconds given (86400 seconds represents 24 hours).
 		'permalogin' => 2,						// Integer. -1: Permanent login for FE users disabled. 0: By default permalogin is disabled for FE users but can be enabled by a form control in the login form. 1: Permanent login is by default enabled but can be disabled by a form control in the login form. // 2: Permanent login is forced to be enabled.  // In any case, permanent login is only possible if TYPO3_CONF_VARS[FE][lifetime] lifetime is > 0.
 		'maxSessionDataSize' => 10000,			// Integer. Setting the maximum size (bytes) of frontend session data stored in the table fe_session_data. Set to zero (0) means no limit, but this is not recommended since it also disables a check that session data is stored only if a confirmed cookie is set.
+		'cookieDomain' => '',					// Same as $TYPO3_CONF_VARS['SYS']['cookieDomain'] but only for FE cookies. If empty, $TYPO3_CONF_VARS['SYS']['cookieDomain'] value will be used.
 		'lockHashKeyWords' => 'useragent',		// Keyword list (Strings commaseparated). Currently only "useragent"; If set, then the FE user session is locked to the value of HTTP_USER_AGENT. This lowers the risk of session hi-jacking. However some cases (like payment gateways) might have to use the session cookie and in this case you will have to disable that feature (eg. with a blank string).
 		'defaultUserTSconfig' => '',			// String (textarea). Enter lines of default frontend user/group TSconfig.
 		'defaultTypoScript_constants' => '',	// String (textarea). Enter lines of default TypoScript, constants-field.
Index: t3lib/class.t3lib_userauth.php
===================================================================
--- t3lib/class.t3lib_userauth.php	(revision 8607)
+++ t3lib/class.t3lib_userauth.php	(working copy)
@@ -368,12 +368,17 @@
 	protected function getCookieDomain() {
 		$result = '';
 		$cookieDomain = $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'];
+			// If a specific cookie domain is defined for a given TYPO3_MODE,
+			// use that domain
+		if (!empty($GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['cookieDomain'])) {
+			$cookieDomain = $GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['cookieDomain'];
+		}
 
 		if ($cookieDomain) {
 			if ($cookieDomain{0} == '/') {
 				$matchCnt = @preg_match($cookieDomain, t3lib_div::getIndpEnv('TYPO3_HOST_ONLY'), $match);
 				if ($matchCnt === FALSE) {
-					t3lib_div::sysLog('The regular expression of $TYPO3_CONF_VARS[SYS][cookieDomain] contains errors. The session is not shared across sub-domains.', 'Core', 3);
+					t3lib_div::sysLog('The regular expression of for the cookie domain contains errors. The session is not shared across sub-domains.', 'Core', 3);
 				} elseif ($matchCnt) {
 					$result = $match[0];
 				}