ASP.NET Cross-Domain Cookies & Facebook Connect

Question

Hi All,

I have a website which i integrate with Facebook (via FBML - JavaScript API).

I have setup the application on Facebook as per normal, specifying the "Connect URL" to be the domain of my website.

However, my application has multiple bindings in IIS for the same website.

Such as:

www.bar.com.au

foo.com.au

The domains are completely different, no relationship in the name whatsoever - so a regex-style rule is not possible (ie base domain). The domains were made different due to a combination of localization and marketing. Keep in mind these domains are baked in to an already live website, in other words i cannot change this architecture.

Is there a way i can specify BOTH of these domain's in the ONE Facebook Application settings for the "Connect URL"? Or will i have to create multiple applications?

Of course i cannot use the "Base Domain" setting as the bindings are not on the same sub-domain.

I actually have around 7 bindings in my website - so i'd rather not have to create 7 seperate Facebook applications - because this means maintaining 7 sets of API key/secret pairs in my application.

What's happening of course is when im on foobar.com.au, the Facebook cookies are not available to the domain.

For the meantime, i will try and create multiple ApiKey's - but i think i might run into issues. I'm going to have to go: "If domain is this, use this ApiKey", then the same logic in every single call to the Graph API. Messy stuff.

So i guess my problem/question isn't really caused by Facebook Connect, its the nature of HTTP Cookies by design.

How can i easily access these cookies cross domain? Will i need to setup a third website and direct all cookie logic to there?

Answer 1

Could you set one of them up as your "Facebook Authentication" site, and direct all FB Auth-related traffic there, and then use one of a large number of cross-site communication tricks to send the token over to the original site?

In other words, regardless of the site they come in from, you'll use .foobar.com.au (for example) as the redirect URI. Then when they come in to that site with you having noted that they came from .foo.bar.com.au, you'll redirect them back where they came from passing along the access token in some cross-domain fashion (querystring, post vars, etc.)

Answer 2

If you want *.foobar.com.au to be allowed, then setup your Base Domain to foobar.com.au.

Answer 3

In my current situation, timeframes have stopped me from doing the proper solution, which is what @Yuliy has highlighted.

For now, i have created multiple Facebook applications. But to keep it DRY, i have abstracted all that away behind exposed properties:

private static string _ApiToken_Site1, _ApiToken_Site2;
public static string ApiToken
{
   get
   {
       if (Site1) return _ApiToken_Site1;
       else if (Site2) return _ApiToken_Site2;
   }
}

Not exactly clean, but the main thing is i did not have to touch my existing code at all, the smarts to work out which Api Key to use is in that property.

For our next project release, i'll be scrapping this and most likely implementing a WCF/ASMX web service which handles authentication from the one place (ie seperate web service on seperate domain).