Cross Domain Cookies With FormsAuthentication

Question

I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie.

We are using and have no plan to stop using ASP.Net Membership and Profiles. Is this possible? A hack would even be greatly appreciated.

Answer 1

It is not possible with out of the box ASP.NET.

Forms based authentication is based on a cookie and cookies can only be set to a specific domain.

If you want true cross domain (not sub domains) shared authentication, you need a Single Sign On solution.

I've rolled my own and it's relatively simple. The basic principle is that you have a master domain which holds your authentication cookie (ticket). You then redirect to that domain from all other domains. It's not really pretty, but event Microsoft Passport worked that way.

You can find a lot of examples on the net, take a look at these two links:

Authentication cookies

Cross domain authentication

Answer 2

You may setup all these domains as sub-domains for your company:

www.company.com
shop.company.com
sales.company.com
research.company.com
..

then you will be able to set cookie to the parent domain and it will be visible for all sub-domains.

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Domain = ".company.com";
Repsonse.Cookies.Add(cookie);

Regards, Max Chernyshov http://prontocoder.com

Answer 3

Not only with ASP.Net is this not possible, but not at all. Cookies are always domain-specific - no commercial browser will work any other way. This is by design and very much necessary to prevent widespread abuse of cookies. Muerte pointed you into the right direction (single sign-on).