AuthenticationForm - Cross Site Cookies

2019-08-26 19:10发布

I've 2 web sites, the first one is myFirst.domain.com and the second one is mySecondSite.domain.com.

They stay on two different web servers and my goal is to allow cross site authentication (my real need is shared FormsAuthentication Cookie).

I've correctly set up my web.config file (machine key node, forms node). The only difference is about loginUrl where on myFirstSite appears like ~/login.aspx, and on mySecondSite it appears like http://myFirstSite.com/login.aspx.

Note that I've not got a virtual directory, I've just 2 different web apps.

The problem: When I reach myFirstSite login page from mySecondSite I never get redirected from the login page, it seems like a cookie isn't being written.

The following is a few snippets about the issue:

MyFirsSite:

 <machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES" />
        <authentication mode="Forms">
            <forms loginUrl="login.aspx" name="authCookie" enableCrossAppRedirects="true"></forms>
        </authentication>
        <authorization>
            <deny users="?" />
            <allow users="*"/>
        </authorization>

MyFirstSite code behind:

 FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, "userName..", DateTime.Now, DateTime.Now.AddMinutes(30), true, "roles..");

        string ticket = FormsAuthentication.Encrypt(fat);

        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticket);
        authCookie.Expires = fat.Expiration;
        authCookie.Domain = "myDomain.com";
        Response.Cookies.Add(authCookie);

//Here is other stuff about querystring checking in order to execute exact redirect, however it's not working, I always return to the login page.

MySecondSite:

<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES"/>
        <authentication mode="Forms">
            <forms loginUrl="http://myFirstSite.domain.com/login.aspx?queryStringToIndicateUrlPage" enableCrossAppRedirects="true"></forms>
        </authentication>
        <authorization>

Well, that's all. Unfortunately it doesn't work.

Please, don't pay attention to queryStringToIndicateUrlPage, it's only a simple workaround in order to know whether I must redirect on the same app or on the another one.

1条回答
▲ chillily
2楼-- · 2019-08-26 19:54

As you're using cookie based authentication shared between two domains, you'll need to indicate this in the <forms> element:

<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES"/>
    <authentication mode="Forms">
        <forms domain=".domain.com" ... />
    </authentication>

Note the initial "." in front of the domain name, which enables sharing of cookies between subdomains.

查看更多
登录 后发表回答