1

I have Forms authentication setup for an ASP.NET 4.0 application on http://example.com - we'll call it MainApp. I also have an ASP.NET 4.0 app running on http://static.example.com which (let's call it SubApp) doesn't have access to the main app.

Now, SubApp needs to figure out usernames of users who first logged in to the MainApp and then came to SubApp. I thought that it's enough for those two apps to have the same machine keys and for the SubApp to specify in web.config, so it could read the MainApp's authentication cookie and get username from it.

I did a simple test and when I try to hit some page on SubApp it keeps redirecting to http://static.example.com/login.aspx - which doesn't even exist not specified in web.config. Apparently my approach doesn't work, though I don't understand why - main domain's cookie should be accessible on a subdomain, right?

This is how I configure authentication in SubApp:

<authentication mode="Forms">
    <forms domain="example.com"/>
</authentication>

<authorization>
    <allow users="*"/>
</authorization>
Andrey
  • 20,487
  • 26
  • 108
  • 176

2 Answers2

3

You could try setting the domain property of the <forms> tag in web.config for both applications:

<authentication mode="Forms">
  <forms 
      loginUrl="~/Account/LogOn" 
      timeout="2880" 
      domain="example.com"
  />
</authentication>

This will effectively set the authentication cookie validity for both example.com and static.example.com, meaning that a user who authenticated on the first domain will automatically be authenticated on the second.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Thanks Darin, it seems to work now - I can get logged in user's name from HttpContext. But I see another problem - when teh user is not logged in, it still redirects them to login.aspx page, even though I added to web.config on SubApp. Any ideas? – Andrey Mar 21 '11 at 22:22
  • @Andrey, how are you handling authentication in the SubApp? Who is redirecting? Why are you allowing all users? – Darin Dimitrov Mar 21 '11 at 22:26
  • My SubApp is just one handler which I'm using to post some file uploads from users. All I want to do in that handler is to see if the user is authenticated and proceed with saving the posted file, or return 401 if the user is not authenticated. I don't need any login page because a user shouldn't interact with SubApp other than via the upload handler. I updated the question with auth configuration of SubApp – Andrey Mar 21 '11 at 22:31
  • @Andrey, what I don't understand is if you have written some custom logic in this handler which verifies if the user is authenticated and then return 401. – Darin Dimitrov Mar 21 '11 at 22:39
  • Basically, the handler checks HttpContext.Current.Identity.User.IsAuthenticated, and if that's false it just assigns Response.StatusCode = 401; otherwise it proceeds with the logic. But now, it doesnt even call the handler if user is not authenticated, it redirects to some login page, and that's what I'm trying to avoid. – Andrey Mar 22 '11 at 01:42
0

Darin is brilliant.

I have a main domain calling a sub-domain (with window.open...) with forms authentication on both...would work on my dev machine and chrome in the cloud but not IE10 in the cloud.

Basically they both use the same database so passed a guid that was stored in the database by the main domain to the subdomain. This was then validated from the querystring and the identity set by FormsAuthentication.SetAuthCookie(MyUserID.ToString)

I - tried the hotfix update on the server (thanks to - added a browser file - set cookieless="UseCookies" in web.config

but it wasn't until I set the domain property to the root domain that it worked in IE10...4 days of research for 1 little problem.

Yes !!!!!

SuperRoo
  • 87
  • 1
  • 7
  • This belongs to a comment, not to an answer. I understand that you are new to the site, just keep that in mind for the future posts. – Andrey Nov 15 '13 at 20:57