tags:

views:

375

answers:

4
+1  Q: 

Asp.NET cookie across subdomains not updating and not expiring

I have 2 subdomains and I need to set and read the same cookie from both websites.

When I use localhost, everything works fine.

When I switch to using valid urls, the cookie infomation is not really being updated when I update it (expire date on logout).

I have the domain of the cookie set to ".mysite.com"

what is wrong?

A: 

Here is my code: (works fine on localhost but not subdomain, never logs the user out because the cookie doesnt get expired)

Login page:

  FormsAuthentication.SetAuthCookie(UserName.Text, true);
    // set the active collab cookie
    Member member = MemberManager.GetMemberByUsername(UserName.Text);

    HttpCookie cookie = new HttpCookie("Token", member.Profile.Token);
    cookie.Domain = ConfigurationManager.AppSettings["CookieDomain"];
    cookie.Expires = DateTime.Now.AddYears(1);
    Response.Cookies.Add(cookie);

Globax ASAX

if (HttpContext.Current.Request.Cookies["Token"] != null) {
        string token = HttpContext.Current.Request.Cookies["Token"].Value;
        if (!string.IsNullOrEmpty(token)) {
                // If the user is logged in with a different token
                // or not logged in at all
                // then log them in with the token from the cookie
                if ((MemberManager.CurrentMember != null && MemberManager.CurrentMember.Profile.Token != token) || User == null) {

                  Member member = MemberManager.GetMemberByToken(token);
                  if (member != null) {
                        FormsAuthentication.SetAuthCookie(member.User.UserName, true);
                 }
             }
                }
            }

Logout Code:

 if (Request.Cookies["Token"] != null) {
                HttpCookie aCookie = Request.Cookies["Token"];
                aCookie.Expires = DateTime.Now.AddDays(-1);
                Response.Cookies.Add(aCookie);
}

Web.Config

 <machineKey
      validationKey="0B527474607638F3659A4EC9E62E3B10F22F7E2E72B67F44D730C689EB19DF29C419D70FFB3F390F384B03AAB91F9CB489AD39101EFB64D533310721D95E2230"
      decryptionKey="82E81A96A6EA7B196079E8AB854C24698E690E8545F95DA098C37BFD1B99566E"
      validation="SHA1"
      decryption="AES" />

 <authentication mode="Forms">
      <forms name="AuthCookie"
             path="/"
             loginUrl="~/login.aspx"
             protection="All"
             timeout="60">
      </forms>
    </authentication>
 2010-02-19 14:43:40
First: you should update your question, not post an aswer. observations: typically you do not have to set the cookie domain. Cookies are accessible throughout a TLD (top level domain) and do not need massaging in this way. If your apps are in different TLD then it is just not going to work, although i suspect this is not your problem. Also, I cannot understand what you are trying to accomplish so I probably will not be able to help you. It seems that you are implementing FormsAuthentication in parallel to another authentication managment strategy. What are your reasons for doing this?
Sky Sanders  2010-02-19 15:30:22
A: 

Try this:

 if (Request.Cookies["Token"] != null) {
                HttpCookie aCookie = Request.Cookies["Token"];
                aCookie.Expires = DateTime.Now.AddDays(-1);
                Response.Cookies["Token"] = aCookie;
}

Instead of adding it, set it to the existing cookie.

Chuck Conway  2010-02-19 14:51:02
I get this error'System.Web.HttpCookieCollection.this[string]' cannot be assigned to -- it is read only
 2010-02-19 15:03:33
A: 

Your forms authentication setting in the web.config needs to enable cross app redirects:

<authentication mode="Forms">
    <forms loginUrl="~/login.aspx" protection="All" timeout="960" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="false" defaultUrl="~/default.aspx" enableCrossAppRedirects="true"/>
</authentication>
Joel Etherton  2010-02-19 14:55:04
It didn't make a difference, but thanks!
 2010-02-19 15:07:56
A: 

The answer was to set the domain to the cookie when expiring it on logout

HttpCookie aCookie = Request.Cookies["Token"];
aCookie.Expires = DateTime.Now.AddDays(-1);
aCookie.Domain = ConfigurationManager.AppSettings["CookieDomain"];
Response.Cookies.Add(aCookie);
 2010-02-19 15:16:05

related questions

When should one use a 'www' subdomain?
How to dynamically create sub-domains with different IP than the original domain correctly and efficiently?
1 A-record for every subdomain (10000+); any potential issues? Any other solution?
Wildcard subdomains in IIS7. Is it possible to make them like it is in Apache?
Free DNS server for Windows XP/Vista/Win7?
Example of using AuthType Digest to authenticate a user once across sub-domains?
Should I default my website to www.foo or not?
How can I trick MVC into rendering links based on a different virtual path?
Redirect 'myapp.com' to 'www.myapp.com' in rails without using htaccess?
How to setup sub-domains like blogspot
How to do a jquery ajax call to a subdomain?
Get the subdomain from a URL
.htaccess Redirections
Subdomain on different host
What options are there for sharing data across subdomains?
AJAX, Subdomains, and SSL
Using Wild Card Subdomains With Mod Rewrite?
How do I reference assets from a different subdomain (or CDN) in production?
Subdomain on different host
How to let PHP to create subdomain automatically for each user?
Map *.domain.com to a single address
Using a subdomain to identify a client
How do I get a list of all subdomains of a domain?
Wildcard Subdomains
How to make subdomain user accounts in a webapp