Forms Authentication across Sub-Domains

2019-01-03 06:35发布

站内问答 / C#
1448 7 6

Is it possible to authenticate users across sub-domains when the authentication takes place at a sub-domain instead of the parent domain?

For example:

User logs into site1.parent.com, and then we need to send them to reporting.parent.com.

Can I authenticate them to the reporting site even though the log-in occured at a sub-domain?

So far all of the research I have done has users logging into the parent domain first and then each sub-domain has access to the authentication cookie.

7条回答
Summer. ? 凉城
2楼-- · 2019-01-03 07:10

2 things to be done:

  1. MachineKey should be same in all web.config (main domain and sub domain(s))
  2. AuthenticationCookie domain name should be same.

Follow the following article for more depth.

查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
3楼-- · 2019-01-03 07:16

Yes, sure. You may need to roll your own at some stages, but it should be doable.

One idea: as you redirect them across the boundary, give them a one-time pass token and then tell the receiving sub-domain to expect them (this user, from this IP, with this token).

查看更多
0人赞 添加讨论(0) 举报
Bombasti
4楼-- · 2019-01-03 07:16

Jro's answer works fine. But make sure to update the webconfig forms authentication setting "domain" , otherwise forms authentication signout will not work properly. Here is the signout issue I came across. Trick here is to have a '.' as the prefix as the domain is set for the cookie as ".parent.com" (use a cookie inspector).

<authentication mode="Forms">          
      <forms cookieless="UseCookies" defaultUrl="~/Default" loginUrl="~/user/signin" domain=".parent.com"  name="FormAuthentication" path="/"/>
    </authentication>
查看更多
0人赞 添加讨论(0) 举报
迷人小祖宗
5楼-- · 2019-01-03 07:18

When you authenticate the user, set the authentication cookie's domain to the second-level domain, i.e. parent.com. Each sub-domain will receive the parent domain's cookies on request, so authentication over each is possible since you will have a shared authentication cookie to work with.

Authentication code:

System.Web.HttpCookie authcookie = System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False);
authcookie.Domain = "parent.com";
HttpResponse.AppendCookie(authcookie);
HttpResponse.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName, 
                                                                       False));
查看更多
0人赞 添加讨论(0) 举报
forever°为你锁心
6楼-- · 2019-01-03 07:20

You can set the cookie to be the parent domain at authentication time but you have to explicitly set it, it will default to the full domain that you are on.

Once the auth cookie is correctly set to the parent domain, then all sub-domains should be able to read it.

查看更多
0人赞 添加讨论(0) 举报
The star\"
7楼-- · 2019-01-03 07:25

As a side note, I found that after using jro's method which worked well +1, the FormsAuthenication.SignOut() method didn't work when called from a subdomain other than www/. (I'm guessing because the .Domain property doesn't match) - To get around this I used:

if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
            {
                HttpCookie myCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
                myCookie.Domain = "parent.com";
                myCookie.Expires = DateTime.Now.AddDays(-1d);
                Response.Cookies.Add(myCookie);
            }
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)