Reputation: 18186
Programmatically set cookie domain per user in ASP.NET MVC
I have an ASP.NET MVC web app that needs to be able to set the auth cookie's domain per user, rather than setting it in the web.config for the entire web application.
Here is what I currently have set:
<httpCookies domain=".mydomain.com" />
Scenario 1
When a user first comes to the site, they are on www.mydomain.com. If they login to the main section of our site, they will stay on www.mydomain.com, the login will call:
FormsAuthentication.SetAuthCookie(user.Id + "|"
+ user.EmailAddress + "|"
+ user.Role.ToString()
, true);
...and the cookie will be set correctly, as www.mydomain.com matches the cookie domain of .mydomain.com, all is well.
Scenario 2
The user can also register for their own section of our site, which would be companyname.mydomain.com. Under this scenario, if they login from either www.mydomain.com or companyname.mydomain.com, the cookie will be set fine, as again, it matches the cookie domain of .mydomain.com.
Scenario 3 (The problem)
However, the user has the option to point their own domain name to our site, and have it mirror what they would see if they went to companyname.mydomain.com. So let's say they register the domain companyname.com, point its A record to our server, and then specify on our site that they want to have their url be companyname.com instead of companyname.mydomain.com. They go to companyname.com, it shows the login page for their section of our site. Now they try to login, and of course, it doesn't work, as companyname.com doesn't match our cookie domain of .mydomain.com.
Why don't we just not set the httpCookies domain in the web.config altogether? Because then if they're on www.mydomain.com and try to login to companyname.mydomain.com, it will fail, as the cookie will be for www.mydomain.com.
We need some way to say, hey this user's request is coming from a domain other than mydomain.com, set the domain for this user's FormsAuthentication cookie to their domain name rather than .mydomain.com.
Any ideas??
Upvotes: 1
Views: 5855
Answers (2)
Reputation: 18186
I realized that this approach wouldn't work, as you can't set a cookie for a domain that you're not on due to security implications.
Instead, what I now do is try to login, and then check if the domain that we have to redirect to is the domain that we're currently on. If so then we set the auth ticket and redirect to the secure section. If we're not on the domain that we're redirecting to, we redirect from the currentdomain.com/validatelogin to the newdomain.com/validatelogin, and then the same check will run, yes we're on the domain we're redirecting to, so set the auth cookie and off we go.
Upvotes: 4
Reputation: 4817
With GetAuthCookie you can retrieve the auth cookie and set the domain name by hand:
HttpCookie authcookie = FormsAuthentication.GetAuthCookie(userName, False);
authcookie.Domain = "companyname.mydomain.com";
HttpResponse.AppendCookie(authcookie);
Upvotes: 1
Related Questions
- Setting and getting cookies in asp.net mvc4
- How to set cookie value?
- Create Cookie ASP.NET & MVC
- How to set cookie path in asp.net mvc
- Using cookie in asp.net mvc c#
- Cookie Munging in Asp .Net MVC
- setting cookie.domain in asp.net
- Cookie management in ASP.NET MVC
- Creating a Cookie in ASP.NET MVC
- How to set a default initialization cookie in ASP.NET MVC