Forms Authentication Across Sub-Domains

Forms Authentication across Sub-Domains

You can set the cookie to be the parent domain at authentication time but you have to explicitly set it, it will default to the full domain that you are on.

Once the auth cookie is correctly set to the parent domain, then all sub-domains should be able to read it.

asp.net Form Authentication across sub domains

I got this Forms Authentication ReturnUrl and subdomain for single sign-on
, That solved my problem.

I am not sure if that is the best way to do it, though.

Forms Authentication across Sub-Domains on local IIS

localhost.users and localhost.host is cross domain. Cookies cannot be shared cross domain.

You could configure it like this so that the sub-domain differs but the root domain stays the same:

users.localhost
host.localhost

Now set the cookie domain in your web.config to localhost:

domain=".localhost"

and in your c:\Windows\System32\drivers\etc\hosts file add the following 2 entries:

127.0.0.1 users.localhost
127.0.0.1 host.localhost

Now you will be able to successfully share the authentication cookie between users.localhost and host.localhost.

Ah, and don't forget to put a step in your automated build process that will transform your web.config value to the correct root domain before shipping in production.

Asp.Net Forms Authentication with Subdomains

So I figured out what was wrong. When logging in (and setting the cookie), I was sending a post request to a different domain than the one I was currently on (profile.teknik.io/Login). This for some reason was not setting the proper cookie, so no auth was occurring. Once I moved the login to the parent domain, the auth works correctly across subdomains.

Update 1

The real issue was the ajax request for logging in. It did not have CORS enabled, so once I did that, and added the appropriate allow headers, the request would work and the cookies would be saved correctly.

Forms Authentication Shared Across Websites

This is what is wrong.

Also, I do not specify the domain attribute of the authentication
element. It says it's optional, and that the default value will be "".

You should set the domain attribute in the forms element like this(not sure about the dot indicating a subdomain).

<forms domain=".mydomain.com" loginUrl="member_login.aspx" cookieless="UseCookies" />

The CookieDomain property value is set in the configuration file for an ASP.NET application by using the domain attribute of the forms configuration element. The CookieDomain property value determines the Domain that the cookie will be used for.

The documentation from your link states that

You can omit the domain attribute of the forms tag if there is only
one Web site on the server.

Which in your case, it is not.

ASP.NET MVC - cross sub domain authentication/membership

Try creating the cookie yourself.

In AccountController you'll find this:

FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);

that "creates and adds to the cookie collection". It doesn't allow modification of the domain (but does allow modification of the path, oddly). Instead create a cookie without adding to the collection, modify the necessary properties, then add to the collection:

var a = FormsAuthentication.GetAuthCookie(userName, createPersistentCookie);
//if you're debugging right here, a.Domain should be en.example.com; change it
a.Domain = "example.com";
HttpContext.Current.Response.Cookies.Add(a);

James