tags:

views:

1111

answers:

4
+2  Q: 

Asp.net forms authentication and multiple domains

I have two domains, domain1.com and domain2.com pointing at the same asp.net website which uses asp.net build in form authentication. The problem is that even if the domains point to the same website the user only get authenticated for one domain at a time. So if he uses www.domain1.com first and then visits www.domain2.com it's the same website in the back but he only is authenticated for www.domain1.com. The same thing happens if he uses www and not www when visiting the sites.

This is what I use to login:

FormsAuthentication.RedirectFromLoginPage(username, cookie.Checked);

To check login:

User.Identity.IsAuthenticated

How can I make the user gets authenticated for all domains that points to the same website?

+1  A: 

You could try something like this:

http://blogs.neudesic.com/blogs/michael_morozov/archive/2006/03/17/72.aspx

Suggestion #5 on there (SSO for two applications in different domains) is pretty much what you are after, except you obviously only have to implement it the once as it will apply to both domains the same.

FerretallicA  2010-01-13 12:57:25
A: 

You should read Explained: Forms Authentication on MSDN. They cover Cross-Domain Authentication.

Filip Ekberg  2010-01-13 12:58:14
@Filip, where in that doc does it refer to cross-domain authentication? I've skimmed the doc and can't find any info beside the points that would seem to preclude cross-domain authentication. There is a link to an article talking about authentication across multiple AD domains which is obviously a different problem space.
Lazarus  2010-01-13 13:08:44
A: 

You could try setting cookieless="true".

Darin Dimitrov  2010-01-13 12:59:32
I'm not sure how this would solve cross domain authentication?
Andy Rose  2010-01-13 13:05:01
Instead of cookies (which are limited to single domain) it sends authentication ticket in the URL.
Darin Dimitrov  2010-01-13 13:08:56
@Darin but the token in the URL is still encoded uniquely for the authenicating server isn't it?
Lazarus  2010-01-13 13:15:27
Yes, but according to the OP, it is the same ASP.NET application and the same server (i.e. same machine keys), it is just a domain redirect, so this will work.
Darin Dimitrov  2010-01-13 13:27:13
+1  A: 

What you're after is a Single Sign-on solution.

As ASP.NET authentication is at it's heart generally cookie based, there are two things to look at:

  1. Set your cookies correctly.
  2. Bounce your users to the alternative domain during signup.

Looking at both of these in more depth:

1. Setting cookies correctly

You need to ensure that ASP.NET is writing the authentication ticket cookies to the root domain, rather than the explicit domain this is done using the domain attribute of the forms element:

<forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   domain=".example.com">
</forms>

You should set your domain to ".example.com" - note the leading period - this is the key. This way requests to example.com and www.example.com will both read the cookie correctly, and authenticate the user.

2. Bounce users to the alternative domain

What we have implemented on a few sites that use a single sign on is a round trip login process. The user authenticates on the first domain, we encrypt the login details, and redirect them to a known page on the second domain, log them in there, and then redirect back to the original server.

This client side redirection is important - cookies are only written when there is a response back to the client, and the browser has to visit the second domain to actually see the cookies.

Other details to consider in this sort of set-up:

  1. You probably want to have a timeout on the encrypted sign-in details - so that recalling that URL from the browser history doesn't automatically log the user in.
  2. If the domains are on different servers, you will need to ensure that either the machine keys are configured the same, so that you can encrypt and decrypt the details correctly, or use some other shared key.
  3. You will probably want to have a mechanism in place to recall the users ReturnUrl from the original server so that you can send them back to the correct place.

You could also take a look at "Forms Authentication Across Applications"

Zhaph - Ben Duguid  2010-01-13 13:03:09

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps