14

I have a domain http://abc.com and a subdomain http://sub.abc.com. I'm implementing single sign-on between the two sites by sharing the forms authentication cookie. This is implemented by having both sites share the validationKey and decryptionKey in the machineKey.

When the user hits a page in the subdomain I want the user authenticated in the root domain and redirected back to the subdomain. The user is redirected to the login page currently but the ReturnUrl wants to redirect to the root site.

Eg. Currently: http://abc.com/login.aspx?ReturnUrl=%2fsecure%2fdefault.aspx

but I want: http://abc.com/login.aspx?ReturnUrl=http:%2f%2fsub.abc.com%2fsecure%2fdefault.aspx

How can this be achieved?

In my subdomain's web.config I have the auth configured like this currently:

<authentication mode="Forms">
  <forms name=".ASPNET" loginUrl="http://abc.com/login.aspx" protection="All" timeout="1440" path="/" domain="abc.com" enableCrossAppRedirects="true" />
</authentication>
LordHits
  • 5,054
  • 3
  • 38
  • 51
  • If you want cookies from abc.com to be accessible to sub.abc.com, I believe you'll need to set the domain to ".abc.com" rather than just "abc.com". Not sure about the returnurl thing though. You might have to do it manually by checking the UrlReferer. – Daniel Schaffer Feb 11 '11 at 17:38
  • wouldn't you need a wildcard like *.abc.com for the domain? – Grahame A Feb 11 '11 at 17:42
  • @Daniel Schaffer, will i need to set ".abc.com" in the configs of both sites? Or just the subdomain's? – LordHits Feb 11 '11 at 17:43
  • 1
    @Gallen, with cookies, the . before the domain *is* the wildcard. @LordHits, yes, I believe you'll need to do it on both sites. Fair warning - I've used FormsAuthentication, and I've worked with sharing cookies between subdomains, but not both at the same time. I'm mostly guessing here, which is why I'm using comments and not answers. – Daniel Schaffer Feb 11 '11 at 17:52
  • Regarding the domain attribute, the way i have it in my post works for all subdomains too. No need for ".abc.com" or "*.abc.com". – LordHits Feb 14 '11 at 22:50

3 Answers3

14

I solved this by setting a querystring in my forms element from my subdomain:

<authentication mode="Forms">
    <forms name=".ASPNET" loginUrl="http://abc.com/login.aspx?returnsite=sub" protection="All" timeout="1440" path="/" domain="abc.com" enableCrossAppRedirects="true" />
</authentication>

Then in my auth code in my main website, I check for that querystring. If it exists I build the redirect url by appending my subdomain to the returnurl.

That returnsite querystring is really only acting as a flag that I need to redirect to a known subdomain else it will work with just the redirecturl to the current domain. This should (in theory) prevent cross site scripting.

LordHits
  • 5,054
  • 3
  • 38
  • 51
  • I like this better than the other solutions because it doesn't expose a generic method of redirecting to an unauthorized location which is a major tool for phising attacks. – Paul Alexander May 07 '12 at 16:41
6

Take a look at http://weblogs.asp.net/dfindley/archive/2007/02/06/fix-returnurl-when-sharing-forms-authentication-with-multiple-web-applications.aspx

amit_g
  • 30,880
  • 8
  • 61
  • 118
1

You can work around this problem by passing an authentication ticket in a query string parameter rather than in a cookie. This may help you

UPDATE
Now look at this link http://www.developer-corner.com/development/dotnet/single-sign-on-across-multiple-asp-net-applications/


UPDATE
You can also use FormsAuthentication.GetRedirectUrl method

Student
  • 3,469
  • 7
  • 35
  • 42
  • This seems a little messy. The querystring could become extremely lengthy if the cookie's value is in there. My issue is not really the cookie though which i've managed to share between domains. It's just about getting the ReturnURL querystring to be correct. – LordHits Feb 11 '11 at 20:17
  • 1
    ok now look this link http://www.developer-corner.com/development/dotnet/single-sign-on-across-multiple-asp-net-applications/ – Student Feb 11 '11 at 21:43
  • that's a good read on single sign on but it doesn't answer my question with respect to the ReturnURL. – LordHits Feb 11 '11 at 22:19
  • you can also use FormsAuthentication.GetRedirectUrl method – Student Feb 11 '11 at 23:24