Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cross Domain Cookies With FormsAuthentication

I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie.

We are using and have no plan to stop using ASP.Net Membership and Profiles. Is this possible? A hack would even be greatly appreciated.

like image 824
Jeremy Boyd Avatar asked Feb 16 '09 20:02

Jeremy Boyd


3 Answers

It is not possible with out of the box ASP.NET.

Forms based authentication is based on a cookie and cookies can only be set to a specific domain.

If you want true cross domain (not sub domains) shared authentication, you need a Single Sign On solution.

I've rolled my own and it's relatively simple. The basic principle is that you have a master domain which holds your authentication cookie (ticket). You then redirect to that domain from all other domains. It's not really pretty, but event Microsoft Passport worked that way.

You can find a lot of examples on the net, take a look at these two links:

Authentication cookies

Cross domain authentication

like image 56
markom Avatar answered Oct 13 '22 23:10

markom


You may setup all these domains as sub-domains for your company:

www.company.com
shop.company.com
sales.company.com
research.company.com
..

then you will be able to set cookie to the parent domain and it will be visible for all sub-domains.

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Domain = ".company.com";
Repsonse.Cookies.Add(cookie);

Regards, Max Chernyshov http://prontocoder.com

like image 39
Max Chern Avatar answered Oct 14 '22 00:10

Max Chern


Not only with ASP.Net is this not possible, but not at all. Cookies are always domain-specific - no commercial browser will work any other way. This is by design and very much necessary to prevent widespread abuse of cookies. Muerte pointed you into the right direction (single sign-on).

like image 3
cdonner Avatar answered Oct 14 '22 01:10

cdonner