0

I've 2 web sites, the first one is myFirst.domain.com and the second one is mySecondSite.domain.com.

They stay on two different web servers and my goal is to allow cross site authentication (my real need is shared FormsAuthentication Cookie).

I've correctly set up my web.config file (machine key node, forms node). The only difference is about loginUrl where on myFirstSite appears like ~/login.aspx, and on mySecondSite it appears like http://myFirstSite.com/login.aspx.

Note that I've not got a virtual directory, I've just 2 different web apps.

The problem: When I reach myFirstSite login page from mySecondSite I never get redirected from the login page, it seems like a cookie isn't being written.

The following is a few snippets about the issue:

MyFirsSite:

 <machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES" />
        <authentication mode="Forms">
            <forms loginUrl="login.aspx" name="authCookie" enableCrossAppRedirects="true"></forms>
        </authentication>
        <authorization>
            <deny users="?" />
            <allow users="*"/>
        </authorization>

MyFirstSite code behind:

 FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, "userName..", DateTime.Now, DateTime.Now.AddMinutes(30), true, "roles..");

        string ticket = FormsAuthentication.Encrypt(fat);

        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticket);
        authCookie.Expires = fat.Expiration;
        authCookie.Domain = "myDomain.com";
        Response.Cookies.Add(authCookie);

//Here is other stuff about querystring checking in order to execute exact redirect, however it's not working, I always return to the login page.

MySecondSite:

<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES"/>
        <authentication mode="Forms">
            <forms loginUrl="http://myFirstSite.domain.com/login.aspx?queryStringToIndicateUrlPage" enableCrossAppRedirects="true"></forms>
        </authentication>
        <authorization>

Well, that's all. Unfortunately it doesn't work.

Please, don't pay attention to queryStringToIndicateUrlPage, it's only a simple workaround in order to know whether I must redirect on the same app or on the another one.

Martin-Brennan
  • 917
  • 7
  • 19
bit
  • 934
  • 1
  • 11
  • 32

1 Answers1

0

As you're using cookie based authentication shared between two domains, you'll need to indicate this in the <forms> element:

<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES"/>
    <authentication mode="Forms">
        <forms domain=".domain.com" ... />
    </authentication>

Note the initial "." in front of the domain name, which enables sharing of cookies between subdomains.

Ruben
  • 15,217
  • 2
  • 35
  • 45
  • I've already tryied by specifying domain name but it doesn't work anyway. – bit Sep 03 '12 at 21:02
  • @bit: Your sample code uses authCookie.Domain = "myDomain.com", it should be ".myDomain.com". Did you try that? – Ruben Sep 03 '12 at 21:21
  • Yes I did. I did try many other solutions too without luck.. It seems impossibile to achieve. – bit Sep 03 '12 at 21:33
  • Important: in my example I said myFirstSite.myDomain.com and mySecondSite.MyDomain.com for semplcity. In reality, the address are myFirstSite.xxx.yyy.com and mySecondSite.xxx.yyy.com, so my cookie domain string will be ".xxx.yyy.com". I've read that more than 2 dot can be cause of bad issue. Is it possibile? – bit Sep 04 '12 at 08:33
  • @bit: The first thing I'd check if I were you is whether the cookies actually stick. Forget about the authentication after that, can you see the cookies being set properly? Look at the Set-Cookie and Cookie headers with a network tracer (IE has that built in, you can use Firebug under Firefox). – Ruben Sep 04 '12 at 21:29