How to check if a cookie exists even if it was created in another application? (using JS or C#)

Question

I have several applications and one of them is a central application that manages authentication, and where a LogOn page is imported from as an IFrame to the other applications.

When the userName and password are correct, I create a cookie named userInfo.

Now, in the current app, I want to check if the cookie of userInfo exists. I think I should check it exists in the browser (in client side).

It must be possible, so how can I do it ?

Thanks in advance.

Answer 1

Cookies cannot be shared cross domain. If your applications are not hosted on the same domain you have to forget about this. It won't work because browsers (for obvious security reasons) do not send cookies cross domain. There are other ways to implement cross domain single sign on (see the second part of my answer).

Now let's suppose that your applications are on the same domain and you have multiple applications spread over different sub-domains of the root domain:

• login.foo.com
• app.foo.com
• xxx.foo.com

and you want to share authentication between those sub domains. All you have to do is specify set the domain property in your web.config to the root domain:

<authentication mode="Forms">
  <forms
    loginUrl="https://login.foo.com"
    requireSSL="true"
    protection="All"
    timeout="120"
    domain="foo.com"
    slidingExpiration="false"
    name="sso" />
</authentication>

The same configuration should be applied to the web.config of all applications. And that's pretty much all you need to do. Once the user is authenticated on one of the sub domains he will automatically be authenticated on the others thanks to the fact that cookies can be shared cross sub domains.

---

If you want to achieve cross domain single sign on then you will have to take a different approach. You could use the same machine keys between the different applications to encrypt the authentication token. Here are the steps:

1. User navigates to https://foo.com and is presented with a Logon screen because he is not authenticated on this domain yet.
2. The user authenticates and an authentication cookie is emitted and valid for the foo.com domain.

3. Now the user needs to go to https://bar.com and be automatically authenticated on this domain. On some page on https://foo.com you could create a form containing the value of the authentication cookie to be posted:

   <form action="https://bar.com" method="post">
       <input type="hidden" name="token" value="PUT THE VALUE OF THE AUTHENTICATION COOKIE HERE" />
       <button type="submit">Go to bar.com</button>
   </form>
   

4. The user submits the authentication cookie to the bar.com. The script that receives this form submission reads the authentication token value that was posted and uses the FormsAuthentication.Decrypt method to decrypt the authentication ticket and read the user name. Since both applications on foo.com and bar.com use the same machine keys, the ticket that was encrypted on foo.com will be successfully decrypted by bar.com
5. The script at bar.com having extracted the authenticated username from the token, it emits a forms authentication cookie valid on bar.com using the FormsAuthentication.SetAuthCookie method.
6. The user is now authenticated on bar.com

The whole security of this model relies on the fact that SSL is used when POSTing the forms authentication token from foo.com to bar.com so the token cannot be captured by a man-in-the-middle and that both applications share the same machine keys for encrypting and decrypting those tokens.