CODEWITHSUNDEEP
asp.netasp.net-mvcmulti-tenant
Ben Foster
Ben Foster

Reputation: 34800

ASP.NET Session and Cookies in Multi-tenant application

I'm working on a multi-tenant ASP.NET MVC application.

So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).

However, we will need to use TempData (uses Session) and set authentication cookies.

Our spec:

Is Session domain aware? It seems to be.

Can I set multiple domains on an authentication cookie?

Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I've partitioned the file system, database and cache per tenant).

Thanks

Ben

Upvotes: 1

Views: 3762

Answers (2)

Sonic Soul
Sonic Soul

Reputation: 24899

you may want to look into Session Partitioning.

<configuration>
    <system.web>
        <sessionState 
            mode="StateServer" 
            partitionResolverType=
                "IndustryStrengthSessionState.PartitionResolver" />
    </system.web>
</configuration>

But I don't believe you can share sessions across domains out of the box. You will likely need to add custom session synchronization, where each domains session is linked by a custom algorithm to the same user/tenant etc.

Upvotes: 0

Darin Dimitrov
Darin Dimitrov

Reputation: 1038710

Is Session domain aware?

By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won't share session.

Can I set multiple domains on an authentication cookie?

No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the domain attribute to the top level domain in the <forms> tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.

Upvotes: 4

Related Questions