Reputation: 67355
Forms Authentication Shared Across Websites
I'm developing a mobile-only sub domain website for an existing website. (The main site is www.domain.com and the mobile-only site I'm developing is m.domain.com.)
When a user logs into the main website, I want to redirect them to the mobile-only website if:
- They appear to be on a mobile device
- They have a particular role
When redirected, they should not have to log in a second time. And so I want to share authentication across websites. The main website uses Forms Authentication.
I am trying to follow the steps described in the article Forms Authentication Across Applications. The main thing is that you must "set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication."
I have done this. However, it's still not working. I can log in or out of either site using the same credentials. But logging in or out of one site does not have any effect on the login status of the other.
The article has this note:
Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.
This does not seem to apply.
Also, I do not specify the domain attribute of the authentication element. It says it's optional, and that the default value will be "".
Can anyone suggestion what else I might try. I just don't know where to go from here.
Upvotes: 0
Views: 4103
Answers (2)
Reputation: 61
Since you only want to share within the same domain this shouldn't be a problem. machine key matters only if you are going to deal with multiple servers or domains.
In your case it's the same domain on the same server, therefore if you set the domain (there is a property in httpcookie) to be "domain.com" (you should not mention any subdomain) in your authentication cookie, I remember that this can be done in web.config (forms authentication section) itself, this should work for you.
<authentication mode="Forms"> <forms loginUrl="~/account/login" timeout="30" name=".FormAuth" cookieless="UseCookies" enableCrossAppRedirects="true" domain=".domain.com" /> </authentication>
or if you are manually creating the cookie you could create a cooike like ,
var cookie = new HttpCookie(); cookie.Domain = ".domain.com";
This good post explains the same, which I found later....
Asp.net forms authentication and multiple domains
Upvotes: 2
Reputation: 3554
This is what is wrong.
Also, I do not specify the domain attribute of the authentication element. It says it's optional, and that the default value will be "".
You should set the domain attribute in the forms element like this(not sure about the dot indicating a subdomain).
<forms domain=".mydomain.com" loginUrl="member_login.aspx" cookieless="UseCookies" />
The CookieDomain property value is set in the configuration file for an ASP.NET application by using the domain attribute of the forms configuration element. The CookieDomain property value determines the Domain that the cookie will be used for.
The documentation from your link states that
You can omit the domain attribute of the forms tag if there is only one Web site on the server.
Which in your case, it is not.
Upvotes: 4
Related Questions
- How to do Forms Authentication Across Applications in asp.net mvc
- Mixing Windows/Forms Authentication Cross site
- Sharing authentication between 3 websites
- MVC Forms Authentication for multiple systems
- Cross-site Windows and Forms authentication
- ASP.Net Cross-Site Authentication
- asp.net mvc and webforms shared authentication
- Forms authentication on different hostings
- Sharing ASP.NET authentication between sites
- Sharing Authentication between ASP.NET sites