2

I'm trying to use forms authentication that will work for both my top level domain & sub domains.

for example, if I log in with this domain: mydomain.com and afterwards going to www.mydomain.com i want to have the ability to identify the user who logged on to mydomain.com (it's the same application).

i'm using the following in my web.config file:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" domain="mydomain.com" timeout="2880" />
</authentication>

This is an mvc project, and i'm getting the user id with the following API:

HttpContext.Current.User.Identity.Name

The creation of form authentication cookie is done by the following api after performing openid logon to the user:

FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);

I can see that the authentication cookie is being sent to both domain but only the domain that the authentication was made against recognizes the user.

Am i doing something wrong?

Thanks, Lior

Akram Shahda
  • 14,655
  • 4
  • 45
  • 65
liorix
  • 807
  • 1
  • 10
  • 21
  • possible duplicate of [Forms Authentication across Sub-Domains](http://stackoverflow.com/questions/608120/forms-authentication-across-sub-domains) – Ricardo Souza Sep 22 '14 at 16:32

3 Answers3

3

Make sure you have the same machine keys setup for those two applications. If the authentication token is encrypted with the machine key of application 1 and application 2 has different key it won't be able to decrypt it.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
1

This question isn't exactly the same as yours, but it looks like it's the solution your looking for.

Community
  • 1
  • 1
ataddeini
  • 4,931
  • 26
  • 34
1

You need to issue your ticket in the toplevel domain, in order to be recognized by subdomains. This is because of how cookies work:

If you set the cookie in domain.com it will be visible on sub.domain.com However if you set it on sub.domain.com, it will not be visible on domain.com

This is a security issue because of cookies and you'll have to consider it, beyond the settings of the <form> element which have to do with validating/rejecting a authentication cookie, where you will need to have domain='domain.com', which you already do.

In addition to all this, if on the subdomain you have a different application, you will need to explicitly define the machine key to be the same. You can generate your self some keys here: http://aspnetresources.com/tools/machineKey

Tudor Carean
  • 972
  • 2
  • 12
  • 22