Authentication cookie with subdomains - asp.net

i have an asp.net website http://www.site.com. This web app is also running on http://subdomain1.site.com and http://subdomain2.site.com. Now i want to set authentication cookie in such a way that http://site.comand http://www.site.comshare authentication cookie but it should not be shared by http://subdomain1.site.com. similarly, http://www.domain1.site.com and http://domain1.site.com should share cookie but it should not be shared by http://domain2.site.com or http://www.domain2.site.com. How can i handle this with asp.net?

By default, cookies are associated with a specific domain. For example, if your site is www.contoso.com, the cookies you write are sent to the server when users request any page from that site. (This might not include cookies with a specific path value.) If your site has subdomains—for example, contoso.com, sales.contoso.com, and support.contoso.com—then you can associate cookies with a specific subdomain.
Response.Cookies["domain"].Domain = "support.contoso.com";
Normally a cookie set on contoso.com will be accessed by all subdomain. but if you want to limit sub domain for the cookie you should manually set domain property for each domain you want them to access.
Regards.

I ended up using different cookie names on different domains as described in this article

Related

Share cookie between domains

I have a cookie generated on a domain www.foo.bar that I need to share with another website located on www.something.com.bar.
Both sites are hosted on the same server.
Can I do that, and if yes, how?
Thanks.
No, you cannot share cookies across domains. The browser will only send a cookie to the domain (or sub-domains there of) that initially set it.
Read up on the Same origin policy / Cookie policy

How to apply Domain Shared session

I have the one application that can be access from 2 different domains. the application shows data depending on the domain used.
I need the client who logged in domain1 will be also logged in within domain2 access.
Its not so easy as its sound because a cookie is used for the validation and the cookie can not be set from different domains.
Read this post on meta on how stackoverflow make it work: https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work
Also you can read the Global Network auto-login article.

Cookieless sub domain

I have one dome name. www.abc.com
and i want to speedup all images an d static content from cookies domain.
what i require to do with that?
i want to create new sub domain with name static.abc.com but that time also cookie coming with both domain.
i am user dotnet panel for hosting.
technology is .net
There are two ways to accomplish this. You could set the cookie for FQDN (fully-qualified domain name) of www.abc.com, but this would restrict the cookies to just www.abc.com. This may be stricter than you want.
The more common solution it to register a completely separate domain for cookieless hosting. This is used by many websites already.
Google uses gstatic.com
Facebook uses twimg.com (I think)
Yahoo uses yimg.com (I think)
EBay uses ebaystatic.com
etc.
When you create a cookie, set it's Domain property to ".abc.com", that way the cookie will be shared by both the www.abc.com and static.abc.com subdomains.

Asp.net forms authentication and multiple domains

I have two domains, domain1.com and domain2.com pointing at the same asp.net website which uses asp.net build in form authentication. The problem is that even if the domains point to the same website the user only get authenticated for one domain at a time. So if he uses www.domain1.com first and then visits www.domain2.com it's the same website in the back but he only is authenticated for www.domain1.com. The same thing happens if he uses www and not www when visiting the sites.
This is what I use to login:
FormsAuthentication.RedirectFromLoginPage(username, cookie.Checked);
To check login:
User.Identity.IsAuthenticated
How can I make the user gets authenticated for all domains that points to the same website?
What you're after is a Single Sign-on solution.
As ASP.NET authentication is at it's heart generally cookie based, there are two things to look at:
Set your cookies correctly.
Bounce your users to the alternative domain during signup.
Looking at both of these in more depth:
1. Setting cookies correctly
You need to ensure that ASP.NET is writing the authentication ticket cookies to the root domain, rather than the explicit domain this is done using the domain attribute of the forms element:
<forms
name="name"
loginUrl="URL"
defaultUrl="URL"
domain=".example.com">
</forms>
You should set your domain to ".example.com" - note the leading period - this is the key. This way requests to example.com and www.example.com will both read the cookie correctly, and authenticate the user.
2. Bounce users to the alternative domain
What we have implemented on a few sites that use a single sign on is a round trip login process. The user authenticates on the first domain, we encrypt the login details, and redirect them to a known page on the second domain, log them in there, and then redirect back to the original server.
This client side redirection is important - cookies are only written when there is a response back to the client, and the browser has to visit the second domain to actually see the cookies.
Other details to consider in this sort of set-up:
You probably want to have a timeout on the encrypted sign-in details - so that recalling that URL from the browser history doesn't automatically log the user in.
If the domains are on different servers, you will need to ensure that either the machine keys are configured the same, so that you can encrypt and decrypt the details correctly, or use some other shared key.
You will probably want to have a mechanism in place to recall the users ReturnUrl from the original server so that you can send them back to the correct place.
You could also take a look at "Forms Authentication Across Applications"
You could try setting cookieless="true".
You should read Explained: Forms Authentication on MSDN. They cover Cross-Domain Authentication.

Sharing ASP.NET authentication between sites

We are launching a new web site using a sub-domain and need to ensure that users logging in to the original (main domain) site, are also authenticated in the new site.
I believe I need to ensure all related web.config settings (forms authentication, cookie names etc) are the same in both applications and also manually set the machineKey validationKey/decryptionKeys (again, the same in both apps).
My question is, if I now manually set theses keys in my main app, will it break the existing logins?
We are using the "hashed" format for passwords.
Depends what you mean by "break". If you modify the machineKeys/encryptiong keys people might have to log back in but the login functionality will continue to work as before.
You also need to make sure that the domain for your cookie are set to domain.com in both places (without the www) or the authentication cookies will not be shard correctly between the sites.

Resources