.Net Forms Authentication Cookie Expiration Problem for SSO

Question

Let me describe my setup a little before I get into the problem. I have two web servers (www.mydomain.com and www2.mydomain.com) using Forms Authentication. On each web server I have a main application for authentication and numerous sub-apps. It looks kind of like this:

www.mydomain.com

|__MainApp (.Net 2.0)
    |__SubApp1 (.Net 1.1)
    |__SubApp2 (.Net 2.0)
    |__SubApp3 (.Net 2.0)

www2.mydomain.com

|__MainApp (.Net 2.0)
    |__SubApp1 (.Net 1.1)
    |__SubApp2 (.Net 2.0)
    |__SubApp3 (.Net 2.0)

As you can see, I'm running a mix of .Net 1.1 and 2.0 applications on the same server. Now I've been trying to come up with a Single Sign- On (SSO) solution that works with this setup and I've partially succeeded. Because the domain attribute in the tag is incompatible with .Net 1.1 (it causes the apps to throw an exception), I decided to programmatically set the domain of the forms authentication cookie generated. This works fine and I can navigate between the two servers without having to login again. The problem occurs when the server tries to reissue/renew the cookie and update its expiration with slidingExpiration enabled. The cookie I generate gets created with "mydomain.com" as the domain, but when the server tries to reissue it with a new expiration, it can't find it and generates a brand new cookie with "www.mydomain.com" as the domain.

Is there anyway to have the server properly reissue the original cookie with the custom domain?

Answer 1

We have an almost identical setup (two web servers, a mix of 1.1, 2.0 and 3.5 app's) and SSO using forms authentication. And we've got it working with sliding expiration with no problem.

The one difference is that our two web servers are setup as a web farm (using the MS Clustering in Server 2k3 if I remember correctly). This means that both machines are assigned to the same domain. Can you switch your two servers to be a web farm?

Answer 2

If we were to go that route, it would be more of a long-term solution. In the short term, I was just hoping to see if anyone knew why the framework is unable to find and reissue the existing cookie.

Answer 3

My solution was to add the Forms Authentication domain attribute to the global Web.config for the .Net 2.0 framework (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.config). It doesn't fix the issue for my .Net 1.1 apps, but the majority of my apps are on 2.0. I'll probably just use an HTTPModule to handle the sliding expiration for the .Net 1.1 apps.