I have tried to set up .Net authentication to allow authentication across subdomains in my app.
To do this, I added a "domain" attribute in the forms element, like this:
<forms domain=".mydomain.com" name=".MyApp" loginUrl="Util/login.aspx" timeout="120" />
Then, for the role provider, I added a domain to that too:
<roleManager domain=".mydomain.com" enabled="true" defaultProvider="SqlServerRoleProvider" cacheRolesInCookie="true">
In both cases, the domain starts with a "." which should make it valid for "mydomain.com" and all subdomains.
However, it's still not allowing me to be authenticated across subdomains. Whenever I click from foo.mydomain.com to bar.mydomain.com, I get prompted to login again.
I fired up the Charles proxy and watched the request when I click from a page in foo.mydomain.com to a page in bar.mydomain.com. What I found is that the ".MyApp" cookie is being sent to bar.mydomain.com, but the ".ASPXROLES" cookie is not.
Sure enough, when I get prompted to login after clicking through to bar.mydomain.com, I check the cookies in my browser, and the .ASPXROLES cookie is missing. After I login, it gets placed again with the domain ".mydomain.com".
For some reason, this cookie will NOT cross subdomains. Any idea why?