ASP.NET MVC 4 Cross-Subdomain Authentication. Can't sign out

Question

So I have a site sitting on URL "mysite.com" and another site on "subdomain.mysite.com". User accounts are stored in "mysite.com", so when I need to log in on "subdomain.mysite.com" I take the user to "mysite.com", they enter their credentials authenticate them normally and make sure that the authentication cookie is usable in "subdomain.mysite.com" by setting the domain in the cookie as follows:

HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, true);
cookie.Domain = ".mysite.com";
Response.Cookies.Add(cookie);

Then I redirect them back to "subdomain.mysite.com" and the user is thankfully authenticated there.

Everything works well except when logging out. When the user tries to log out from any site, I remove the authentication cookie as expected:

FormsAuthentication.SignOut();

But for some reason the cookie is not being removed, the user stays logged in.

I have tried deleting the cookie directly using Request.Cookies[FormsAuthentication.FormsCookieName] but still nothing. Chrome is holding on to the cookie really tight for some reason: I can see it in Chrome's developer tools.

What am I doing wrong? Help!

score 7 · Accepted Answer · answered Jul 18 '13 at 01:06

Alright, found the solution to the problem.

HttpCookie cookie = Request.Cookies[FormsAuthentication.FormsCookieName];
cookie.Domain = ".mysite.com";
cookie.Expires = DateTime.Now.AddMilliseconds(-1);
Response.Cookies.Add(cookie);

As you can see, two things happen here:
- I'm explicitly setting the domain again for the cookie I'm handling. Apparently you have to tell the browser the domain context or it simply won't find the cookie.
- Instead of removing the cookie, I'm simply expiring it.

there's a solution using only web.config configured properly? — andrea, May 31 '16 at 16:15

ASP.NET MVC 4 Cross-Subdomain Authentication. Can't sign out

1 Answers1