FormsAuthentication.CookieDomain property

views:

497

answers:

+1 Q:

FormsAuthentication.CookieDomain property

Hello,

FormsAuthentication.CookieDomain property specifies the domain for which this cookie is valid. Overriding this property is useful if you want to enable the cookie to be used for more applications on your web server

A) I assume the quote is suggesting that if same browser is used to log onto two web applications, then overriding this property will cause these two applications to put their tickets into same authentication cookie?

B) Doesn’t above quote imply that if we only have one Asp.Net application running on our web server, then we don’t need to overwrite the default value (which is an empty string)?

But as far as I know, even if we only have one Asp.Net application running on our web server, we would still need to set this property to a value representing our domain, else forms authentication would not work?!

thanx

+1 A:

Correct. You don't need to override the value if you only have one application, but you don't need to set it either, it is worked out for you.

Really this is for situations where you may have one application on http://www.example.com and one on http://host1.example.com - setting the cookie domain to example.com means they will share the same cookie.

blowdart 2009-05-17 22:32:12

Q1 - But how, when using Forms Authentication, will Asp.Net figure out what domain your web application belongs to and then set FormsAuthentication.CookieDomain accordingly? Namely, if it won’t be able to set this property accordingly, then forms authentication won’t work, since Cookie domain must match URL used for accessing web server! Q2- are there any benefits of having several applications using same cookie instead of each app having its own cookie?

SourceC 2009-05-18 00:10:48

Magic pixies :) It's part of the HTTP spec for cookies, if one is sent without a host specified then it is assumed that it is for the host that sent it, and the browser treats it as such. Q2 - It allows sharing, and features like single sign on across multiple applications on a domain.

blowdart 2009-05-18 05:13:58

Q1 - I thought that if you don’t supply a value for FormsAuthentication.CookieDomain property, then runtime will automatically assign a domain name to that property?! But as far as I understand your reply, runtime doesn’t set that name for you, but instead browser associates that cookie with the particular domain?! But as far as I know, forms authentication demands that FormsAuthentication.CookieDomain has a value specifying the domain, else it authentication won’t work?! Q2 - why couldn't same cookie by used for two applications even if we don't ovverride FormsAuthentication.CookieDomain?

SourceC 2009-05-18 19:13:28

Exactly what book are you reading? Because going by your questions the book leaves a lot out. Admittedly it's low level implementation which doesn't really matter. Anyway, the browser will take cookies with no domain name set, it then associates them with the web site that sent them. Forms authentication does not demand the cookiedomain property is set. As for why it won't work over two domains, that's part of the HTTP spec. A browser will not send a cookie from one site to another.

blowdart 2009-05-18 19:42:09

I'm reading Pro Asp.Net 3.5 in C# 2008. The subject relevant to this discussion is contained on page 866:"...URL you use to access the application is different from your actualdomain. Therefore, forms authentication would not work, as it matches the name of the cookie domain with the URLused for accessing the web server."Q2 - I think you misunderstood my second question ( I should be more specific ). I was asking why two applications in the same domain can't use same cookie event if we don't override...

SourceC 2009-05-18 20:26:14

If the application are on the exact same FQDN then they will share the cookie. If they are on separate FQDNs they will not be able to unless you override as the browser will not send the cookie as it will be limited to an exact FQDN matchSimply put - you do not need to set it unless you are going to run multiple applications on separate sub domains which share authentication

blowdart 2009-05-18 20:45:13

I'm still a bit confused on the following - if you don't set FormsAuthentication.CookieDomain property, then cookie won't contain the name of a domain( thus runtime won't automatically figure out the domain and set FormsAuthentication.CookieDomain to it )?

SourceC 2009-05-18 21:32:20

The runtime doesn't need to figure it out. The browser does, and will send the cookie to its originating server. That's all asp.net needs. Until you run multiple applications across multiple servers with multiple names you do not need to worry about any of this.

blowdart 2009-05-18 22:17:29

Sorry for dragging this.Just one more thing - since it is a browser that figures out the domain, then cookie doesn't have stored a string containing the domain name?! If so, then I must assume that runtime doesn't compare domain value ( stored in a cookie ) with URL used to access the web server?! I'm really sorry about this :(

SourceC 2009-05-18 22:44:44

No it doesn't. The browser does the work, and how it implements it is up to the browser. The runtime simple sees a cookie or not

blowdart 2009-05-19 03:55:21

thanx for helping me

SourceC 2009-05-20 09:16:17

ansaurus

tags:

views:

answers:

FormsAuthentication.CookieDomain property

related questions