Mistery solved:

the session part was correctly configured; the problem was that I requested the login page at http://webpage/ and after the auth the login script redirected the user at http://webpage.domain. I suppose the cookie was valid only for a domain. My bad ;P