Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to set the forms authentication cookie path

On the same IIS web site, I have two ASP.NET web applications called /foo and /bar. Both use forms authentication and I want users to be able to log in and out of both sites independently.

With the standard configuration for forms authentication, it seems to send a cookie path of "/" for the forms auth cookie. This means that when a user logs into /bar it logs him out of /foo which is undesirable behaviour for me.

The obvious solution seems to be this:

FormsAuthentication.RedirectFromLoginPage(username, false, Request.ApplicationPath);

This makes the forms auth cookie have the application path which allows the user to log into /foo and /bar independently :-) However there is a further and more nasty problem: If the user tries to log into /Foo (with a capital F), IIS directs them to the web application /foo, but they can never log in because the browser (chrome in this case) is case sensitive when deciding whether to send the cookie based on the cookie path.

This seems to be a common problem which every ASP.NET web app developer will face but I can't see a sensible solution for it. Please tell me i've missed something obvious?

Thanks

Andy

like image 802
Andy Avatar asked Apr 09 '12 08:04

Andy


People also ask

Is it possible to set a path to a cookie?

Setting a path on user defined cookies is fine, as is the form's authentication cookie, since the Forms authentication config conveniently has a path attribute.

What is the cookie path for forms authentication in IIS?

On the same IIS web site, I have two ASP.NET web applications called /foo and /bar. Both use forms authentication and I want users to be able to log in and out of both sites independently. With the standard configuration for forms authentication, it seems to send a cookie path of "/" for the forms auth cookie.

What is Cookieless forms authentication and why is it used?

However, if we choose to use cookieless forms authentication, the ticket will be passed in the URL in an encrypted format. Cookieless forms authentication is used because sometimes the client browsers block cookies.

How do I change the time-out period for forms authentication?

The only setting that you can make is in the Web.config file or the Machine.config file, in the <forms> tag. This change will determine the time-out period of forms authentication in the context of a ticket or cookie unless the ticket is generated manually. <!-- name=" [cookie name]" - Sets the name of the cookie used for Forms Authentication.


1 Answers

I assume you have already solved this issue somehow, but since I stumbled upon this question I thought I should add my few cents.

To solve the issue use different cookie names in web.config. Something like:

<authentication mode="Forms">
  <forms name=".ASPXFORMSAUTH_FOO"
      loginUrl="public/login.aspx" cookieless="UseCookies" slidingExpiration="true"/>
</authentication>

and

<authentication mode="Forms">
  <forms name=".ASPXFORMSAUTH_BAR"
      loginUrl="public/login.aspx" cookieless="UseCookies" slidingExpiration="true"/>
</authentication>
like image 144
user1429080 Avatar answered Oct 12 '22 23:10

user1429080