472,952 Members | 2,080 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,952 software developers and data experts.

c# forms authentication


I have stumbled across an interesting problem regarding forms
authentication over multiple sub domains. The topic has been covered in
various forms online but never really gets a definitive answer as to
why it happens.

I have two separate web apps sat on different sub domains of the same
company realm. eg:


The auth domain is a very simple app for handling single sign on across
multiple sub domains. The work domain is an example of a consuming web
app that needs to use the authentication service of auth.

I have configured the work domain to deny all users by forms
authentication, which points to a login form on the auth domain
(http://auth.company.co.uk/login.aspx). When a user hits the work
domain, they are redirected to auth and they can log in.

The problem occurs after the auto redirect, which happens when the
framework determines that the current request is not authenticated. The
query string param 'RedirectUrl' is appended to the login url but it
does not include the absolute path and hence the originating domain.
Once the user authenticates, forms authentication only has
'/<originalrequest>' as the redirect url so tries to redirect within
the auth domain. This page does not exist and an error occurs.

A solution is to set a cookie in every consuming web app that stores
the sub domain value of the previously executing request. The auth web
app can then inspect this sub domain value and include it in the
redirect once a user has logged in. This would work fine but ideally I
want to find a different solution that does not rely on cookies - as in
the mobile forms authentication approach where an authentication ticket
will be appended as a querystring parameter if the mobile device does
not support cookie based redirects.

Any assistance would be greatly appreciated.

Many thanks

Nov 19 '05 #1
2 2450
Maintaining Forms authenitcation across subdomains is tricky.
I would create a login page in work and have it do nothing but redirect
to the auth login page with the correct redirection URL in the query
string. Then do the authentication and redirect back.

If using cookies make sure cookiename is the same across both domains
and set the forms auth cookie domain as the base domain.
In web.config <machineKey validationKey="<MyValKey>"
decryptionKey="<MyDecryptKey>" validation="SHA1"/>, you will need to
generate your own keys and explicitly define them, ontherwise everytime
you reinstall the virtual directory they will be recreated and
different across sites.

I have never done it without cookies, however I would guess as long you
handle querystring properly then it should work. One thing to note is
to make sure you handle sessionstate and authentication/authorization
completely seperate since you are spanning two session states.

Hope this helps,

Nov 19 '05 #2
Thanks Endo for your response, much appreciated.

It all works at the moment but I think I will investigate your
suggestion of a login page for each sub site.

Webservice option also working.


Nov 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be...
by: Eric | last post by:
I am trying to build an app where the stuff in the root directory is open to all, but anything under the Restricted directory requires you to login and I want to use Forms to do it. I'm having...
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET...
by: Justin | last post by:
I am trying to password protect a subdirectory using forms authentication. I am using the "Location" tag to specify the directory to be protected. The login.aspx page is in the root directory of...
by: V. Jenks | last post by:
Using forms authentication, can I control which pages and/or directories a user would have access to or is that only available with Windows authentication? Thanks!
by: =?Utf-8?B?R3V1czEyMw==?= | last post by:
Hi, I created a web site on a remote server. To logon the user must enter a user id and password. The site is uses Forms Authentication. The web config file looks as follows: ...
by: Bjorn Sagbakken | last post by:
In a web-application with login creds (user, pwd), these are checked against a user table on a SQL server. On a positive validation I have saved the userID, name, custno and role-settings in a...
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the...
by: Sean | last post by:
Hi, I've taken over a website, which has an admin section that is currently open. I added Forms Authentication to the admin directory with the using the location section in web.config: ...
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
by: Mushico | last post by:
How to calculate date of retirement from date of birth
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
by: NeoPa | last post by:
Hello everyone. I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report). I know it can be done by selecting :...
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.