1

I'm working on a multi-tenant ASP.NET MVC application.

So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).

However, we will need to use TempData (uses Session) and set authentication cookies.

Our spec:

  • A tenant can have multiple urls (tenant1.myapp.com or mycustomdomain.com)
  • Authentication cookies should NOT be shared by tenants
  • Ideally, a tenant's authentication cookie should be shared by any one of their urls

Is Session domain aware? It seems to be.

Can I set multiple domains on an authentication cookie?

Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I've partitioned the file system, database and cache per tenant).

Thanks

Ben

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
Ben Foster
  • 34,340
  • 40
  • 176
  • 285

2 Answers2

4

Is Session domain aware?

By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won't share session.

Can I set multiple domains on an authentication cookie?

No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the domain attribute to the top level domain in the <forms> tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • thanks for the clarification. So it seems that this is secure by default. It's likely that my tenants will only have one url each anyway. – Ben Foster Mar 28 '11 at 15:26
0

you may want to look into Session Partitioning.

<configuration>
    <system.web>
        <sessionState 
            mode="StateServer" 
            partitionResolverType=
                "IndustryStrengthSessionState.PartitionResolver" />
    </system.web>
</configuration>

But I don't believe you can share sessions across domains out of the box. You will likely need to add custom session synchronization, where each domains session is linked by a custom algorithm to the same user/tenant etc.

Sonic Soul
  • 23,855
  • 37
  • 130
  • 196