0

I know there are lot of discussions about this but I am still not clear on this. I have a website www.all.com and www.bll.com. Please note that they are two different websites on two different servers.

Both of them uses Forms Authentication. If I use the same validation key and decryption key in web.config of both the websites, why can't I share Auth Cookie between these two websites? I have read that Auth cookie can be shared only between sub domains.

user logs into www.all.com, I authenticate the user and add auth cookie to the response and redirect them to secure page of www.bll.com. Now bll.com should be able to decrypt the auth cookie and have the user authenticated in bll.com. Why is this not possible?

Does Auth cookie scope ends if redirected to a different domain?

Web Application Developer
  • 337
  • 2
  • 9
  • You can't do that. http://stackoverflow.com/a/18601768/1810243. Why don't you just securely redirect them to `bll.com` with an encrypted querystring token that identifies who they are, and then use `bll.com` logic to log them in? – MikeSmithDev Sep 19 '13 at 14:30
  • You seem to be misinterpreting subdomains. www.all.com and www.bll.com are not subdomains in any way. www.all.com and www2.all.com are both subdomains of all.com. You may see this about cookie authentication across subdomains http://stackoverflow.com/q/15076138/1236044 . But it won't solve your issue, which is adressed by mechanisms like openid http://openid.net/ – jbl Sep 19 '13 at 15:12

0 Answers0