1

I am using the default ASP.NET authentication solution. Now I have subdomains on my server (eg. example.com, blog.example.com, forum.example.com...) The login occurs on example.com, and gives out an authentication cookie. But when I go to forum.example.com I am redirected to login. Is there a configuration settings to making the login work for *.example.com?

It's worth noting that the cookies are issued as "example.com" for the domain. So I changed it to ".example.com" based on some reading, and now sub-domain authentication works. Anyone able to explain?

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
StuckIt
  • 11
  • 2
  • 1
    possible duplicate of [Forms Authentication across Sub-Domains](http://stackoverflow.com/questions/608120/forms-authentication-across-sub-domains) – Ricardo Souza Sep 22 '14 at 16:32

1 Answers1

0

According to RFC 2109, if you do not prefix a dot on the domain, it is invalid and the cookie should be rejected. From RFC 2109

Domain=domain Optional. The Domain attribute specifies the domain for which the cookie is valid. An explicitly specified domain must always start with a dot.

4.3.2  Rejecting Cookies

   To prevent possible security or privacy violations, a user agent
   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.

   * The value for the Domain attribute contains no embedded dots or
     does not start with a dot.
Community
  • 1
  • 1
Iain
  • 10,814
  • 3
  • 36
  • 31
  • But the auth cookie for ASP.NET does not start with a dot; "company.com" – StuckIt Nov 29 '10 at 02:24
  • I'm confused, where are you getting the value "company.com" from? – Iain Nov 29 '10 at 02:32
  • It's an example. Take a look at the authentication cookie for ASP.NET4 and it's set as "company.com" and not ".company.com". Yet according to your comment above, not using a dot at the front is against convention...? – StuckIt Nov 29 '10 at 02:35
  • 1
    Do you have a url? I suspect its a bad example. Either way, you need the dot. – Iain Nov 29 '10 at 02:41