Reputation: 1276
Shared Forms Auth cookie not working on subdomain
I have a domain www.foo.com and sub domain www.bar.foo.com. A user logs in at www.foo.com and is redirected to www.bar.foo.com. The site at the sub domain is a different website, and even though the cookie is being passed across correctly in the subsequent requests to both the primary and sub domain, the authentication on the sub domain isn't working.
Both sites share the same machine key information and the web config for the two sites are configured as:
www.foo.com:
<authentication mode="Forms">
<forms timeout="120" protection="All" slidingExpiration="true" name=".authcookie" domain=".foo.com" />
</authentication>
www.bar.foo.com:
<authentication mode="Forms">
<forms loginUrl="http://www.foo.com" timeout="120" protection="All" slidingExpiration="true" name=".authcookie" domain=".foo.com"/>
</authentication>
as you can see the cookie name is set correctly and I have confirmed in fiddler that the cookie is being sent correctly on all requests to both domains, but on the server side at www.bar.foo.com the request is not authenticated. Apart from the cookie name and the machine keys is there anything else that needs to be set to allow two sites on sub domains to share an auth cookie?
Edit - Found in the windows event logs:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Event time: 19/02/2015 15:25:34
Event time (UTC): 19/02/2015 15:25:34
Event ID: 96e946d72f6b4fd3b5748e985aee7c50
Event sequence: 27
Event occurrence: 9
Event detail code: 50201
This implies it is a problem with the ticket encryption
Edit 2: I forgot to mention, at the moment this is still in dev, so even though they are two different websites they are both hosted on my local machine
Update: I Have tried regenerating the machine keys as that has apparently fixed the issue for some users, but no joy for me
Upvotes: 1
Views: 1218
Answers (2)
Reputation: 1276
The problem was caused because the http runtime version was set differently in the web config for the project that the sub domain points to. I removed the line:
<httpRuntime targetFramework="4.5.1" />
from the web config and that did the job
Upvotes: 3
Reputation: 524
Try removing the leading . in your domain setting for Forms authentication:
domain="foo.com"
Upvotes: 0
Related Questions
- MVC Identity cookie is authenticated across subdomains
- ASP.NET Identity Cookie not being saved/set in subdomain
- ASP.NET Subdomain Cookie (parent and one subdomain)
- Setting Cookies across sub domain javascript pitfall
- ASP.NET cross subdomain cookies not being attached to request
- Creating a subdomain Auth cookie then redirecting to subdomain loses the cookie in asp.net MVC4
- ASP.NET Cross-Sub-Domain Single Sign-On Cookies
- Issues with cross-subdomain authentication with WebForms 3.5 and MVC 4.0
- Forms Authentication Sub domain cookie passing in some servers not others
- Setting domain on Authentication Cookie breaks authentication in MVC