Forms authentication and authentication ticket cookie domain

Question

I'm trying to configure DEV environment to support sub-domains with sharing authentication and session between them.

Currently, I configured IIS and hosts file on DEV machine to handle requests for mydomain, sd1.mydomain, sd2.mydomain, sd3.mydomain. Web application itself working as expected, I can browse all pages on all sub-domains, except the pages that requires authentication. When I try to log in, everything looks perfect on server side (user found, cookie created and added to response), but the cookie not arrives to browser (I tried Chrome and IE).

I have a code that creates and stores authentication ticket and I set domain=".mydomain" in authentication.forms in web.config:

var now = DateTime.UtcNow.ToLocalTime();

var ticket = new FormsAuthenticationTicket(
 1 /*version*/, _user.Username, now, now.Add(FormsAuthentication.Timeout),
isPersistentCookie, _user.Username, FormsAuthentication.FormsCookiePath);

var encryptedTicket = FormsAuthentication.Encrypt(ticket);

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.HttpOnly = true;
if (ticket.IsPersistent)
{
     cookie.Expires = ticket.Expiration;
}
cookie.Secure = FormsAuthentication.RequireSSL;
cookie.Path = FormsAuthentication.FormsCookiePath;
if (FormsAuthentication.CookieDomain != null)
{
     cookie.Domain = FormsAuthentication.CookieDomain;
}

_httpContext.Response.Cookies.Add(cookie);

When I debug, the code above works fine, the user is correct and cookie with correct domain is added to response.

If I remove domain=".mydomain" from web.config, authentication works, but only on mydomain and not on sub-domains.

What I'm doing wrong?

Answer 1

Remove the dot on the beginning, from the domain=, you must have it as domain=".mydomain.com" with the first dot as stated here http://www.w3.org/Protocols/rfc2109/rfc2109 (page 7), thanks for the comment of @AlbatrossCafe

This setting is both on cookie and on authentication.