The ruleset for *.tweakers.net doesn't enforce https for the subdomain awards.tweakers.net. Combined with the securecookie rule this causes the session-id cookie to be overwritten with a new one for a not-logged-in session. It probably is best to just be less specific wrt subdomains: <rule from="^http://([a-z]+\.)?tweakers\.net/" to="https://$1tweakers.net/" /> Also the exclusion rule for crossdomain.xml might not be necessary anymore, but I haven't checked that yet.