Thursday, March 31, 2011

Cross Domain Cookies With FormsAuthentication

I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie.

We are using and have no plan to stop using ASP.Net Membership and Profiles. Is this possible? A hack would even be greatly appreciated.

From stackoverflow
  • It is not possible with out of the box ASP.NET.

    Forms based authentication is based on a cookie and cookies can only be set to a specific domain.

    If you want true cross domain (not sub domains) shared authentication, you need a Single Sign On solution.

    I've rolled my own and it's relatively simple. The basic principle is that you have a master domain which holds your authentication cookie (ticket). You then redirect to that domain from all other domains. It's not really pretty, but event Microsoft Passport worked that way.

    You can find a lot of examples on the net, take a look at these two links:

    Authentication cookies

    Cross domain authentication

  • Not only with ASP.Net is this not possible, but not at all. Cookies are always domain-specific - no commercial browser will work any other way. This is by design and very much necessary to prevent widespread abuse of cookies. Muerte pointed you into the right direction (single sign-on).

0 comments:

Post a Comment