Reputation: 4023
.Net cookies for subdomains
I'm trying to login a user on two subdomains.
Consider these subdomains:
forum.mydomain.com, account_a.mydomain.com, account_b.mydomain.com.
A user logs in to account_a.mydomain.com. In my authentication function i want to create an authentication cookie for forum.mydomain.com. (but not(!) for account_b.mydomain.com)
I tried creating a cookie and settings the .domain property to forum.mydomain.com but somehow the cookie isnt created. Settings the .domain property to .mydomain.com is not what i want because it would create a security problem since account_a and account_b are two completely different users.
How can i get it to work?
Upvotes: 0
Views: 285
Answers (2)
Reputation: 37543
The only thing that can create a specific domain cookie is a machine that resolves on the domain you're creating. If you want to create a cookie called account_a.mydomain.com then your server's url must be accessed from that specific domain. Given this, it is not possible for account_a.mydomain.com to create a cookie specific to forum.mydomain.com because they are completely separate addresses. Any attempt to create such a cookie would actually create a cookie for account_a.forum.mydomain.com.
As for how to get it to work, you haven't really specified why you're tinkering with the cookie in this manner in the first place so that's difficult to say. You can only have one valid authentication cookie for a user per browser, and the cookies are common to all instances of a browser so it wouldn't really be possible to have a cookie for account_a validate for account_b, and the two cookies couldn't live on the same machine anyway. One of the purposes of domain level authentication is to prevent this kind of simultaneous multiplicity.
Edit: (response to comment)
In the scenario where you want a user to be able to travel across to multiple domain servers you don't need to touch the cookie itself. It will automatically bind itself to the mydomain.com domain and allow such a traversal. Attempting to apply an individual system level security mechanism on the global object is just a little backwards. To use an analogy, you wouldn't line the fence around your house with barbed wire to keep someone out of your basement. The authentication controls to prevent account_a from accessing the account_b domain needs to be applied at that server level. My guess is that you have some form of common code where the domain is rationalized against the authentication, so what you really need to do is handle the actual authorization.
One method would be to add some custom code to the Init or Load events of your Page baseclass. Also, you could add a piece of logic to the BeginRequest event in your global.asax. One technique I've seen used (though never used it myself), is to add to the AuthorizeRequest event in the global.asax. I wasn't able to find any documents describing the topic, but I did find one that shows an example of how it's done. https://nport.svn.codeplex.com/svn/jacky/ccs/CCWeb/Global.asax.cs
Upvotes: 1
Reputation: 877
You can't solve this with cookie settings alone, the purpose of the domain property is to prevent this.
If both forum.mydomain.com and account_a.mydomain.com absolutely needs to use the same authentication cookie, you need to set it to .mydomain.com and have some logic make sure it's not valid in account_b.mydomain.com
Upvotes: 2
Related Questions
- Sharing ASP.NET cookies across sub-domains
- How to add a cookie to all subdomain URLs?
- How to share cookie between domain and subdomain, but not other subdomains
- ASP.NET Subdomain Cookie (parent and one subdomain)
- Asp.NET cookie across subdomains not updating and not expiring
- Access Cookie into sub domains
- asp.net cookies subsites
- Cookieless sub domain
- Cross domain cookie access (or session)
- Cookies over multiple sub domains except one