470,636 Members | 1,599 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,636 developers. It's quick & easy.

c# forms authentication


I have stumbled across an interesting problem regarding forms
authentication over multiple sub domains. The topic has been covered in
various forms online but never really gets a definitive answer as to
why it happens.

I have two separate web apps sat on different sub domains of the same
company realm. eg:


The auth domain is a very simple app for handling single sign on across
multiple sub domains. The work domain is an example of a consuming web
app that needs to use the authentication service of auth.

I have configured the work domain to deny all users by forms
authentication, which points to a login form on the auth domain
(http://auth.company.co.uk/login.aspx). When a user hits the work
domain, they are redirected to auth and they can log in.

The problem occurs after the auto redirect, which happens when the
framework determines that the current request is not authenticated. The
query string param 'RedirectUrl' is appended to the login url but it
does not include the absolute path and hence the originating domain.
Once the user authenticates, forms authentication only has
'/<originalrequest>' as the redirect url so tries to redirect within
the auth domain. This page does not exist and an error occurs.

A solution is to set a cookie in every consuming web app that stores
the sub domain value of the previously executing request. The auth web
app can then inspect this sub domain value and include it in the
redirect once a user has logged in. This would work fine but ideally I
want to find a different solution that does not rely on cookies - as in
the mobile forms authentication approach where an authentication ticket
will be appended as a querystring parameter if the mobile device does
not support cookie based redirects.

Any assistance would be greatly appreciated.

Many thanks

Nov 19 '05 #1
2 2351
Maintaining Forms authenitcation across subdomains is tricky.
I would create a login page in work and have it do nothing but redirect
to the auth login page with the correct redirection URL in the query
string. Then do the authentication and redirect back.

If using cookies make sure cookiename is the same across both domains
and set the forms auth cookie domain as the base domain.
In web.config <machineKey validationKey="<MyValKey>"
decryptionKey="<MyDecryptKey>" validation="SHA1"/>, you will need to
generate your own keys and explicitly define them, ontherwise everytime
you reinstall the virtual directory they will be recreated and
different across sites.

I have never done it without cookies, however I would guess as long you
handle querystring properly then it should work. One thing to note is
to make sure you handle sessionstate and authentication/authorization
completely seperate since you are spanning two session states.

Hope this helps,

Nov 19 '05 #2
Thanks Endo for your response, much appreciated.

It all works at the moment but I think I will investigate your
suggestion of a login page for each sub site.

Webservice option also working.


Nov 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Kris van der Mast | last post: by
reply views Thread by Anonieko Ramos | last post: by
7 posts views Thread by Justin | last post: by
5 posts views Thread by V. Jenks | last post: by
4 posts views Thread by =?Utf-8?B?R3V1czEyMw==?= | last post: by
4 posts views Thread by Bjorn Sagbakken | last post: by
5 posts views Thread by Rory Becker | last post: by
1 post views Thread by Sean | last post: by
1 post views Thread by Korara | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.