Multi domain cookie based authentication

Question

User-1959381502 posted

I want to create a cookie based authentication functionality. 

There are two web  applications and login details are same for both applications. When user logged in to the application A(client application) it will send a web request(HttpWebRequest) to application B(my API). This request will contain encrypted login details. Then application B will do the authentication and update application A. (B create auth cookie and send it to A )

So at the moment user is still at application A. 

And there are multiple operation in application A which will redirect user to application B. If this happen user must automatically logged in to application B. In these redirection login credentials are not provided.

Below is the web request on application B

var http = (HttpWebRequest)WebRequest.Create(new Uri(baseAddress));
            http.Method = "POST";
            CookieContainer cookieContainer = new CookieContainer();
            http.CookieContainer = cookieContainer;
//include the post data
            var response = (HttpWebResponse)http.GetResponse();

            foreach (Cookie cook in response.Cookies)
            {
                Response.Cookies.Add(new System.Web.HttpCookie(cook.Name, cook.Value)
                {
                    Domain = cook.Domain,
                    Expires = cook.Expires
                });
            }

So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)

Answer 1

User-1038772411 posted

Hello, NewUser2017

How to share session state across Domains & subdomains and multidomain.

void context_PostRequestHandlerExecute(object sender, EventArgs e)
{
    HttpApplication context = (HttpApplication)sender;
    HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"];
 
    if (context.Session != null &&
        !string.IsNullOrEmpty(context.Session.SessionID))
    {
        cookie.Value = context.Session.SessionID;
        if (rootDomain != "localhost")
        {
            cookie.Domain = rootDomain;
        }
        cookie.Path = "/";
    }
}

Please refer below link :

https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains

Thanks.

Answer 2

User-1959381502 posted

Hello, NewUser2017

How to share session state across Domains & subdomains and multidomain.

void context_PostRequestHandlerExecute(object sender, EventArgs e)
{
    HttpApplication context = (HttpApplication)sender;
    HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"];
 
    if (context.Session != null &&
        !string.IsNullOrEmpty(context.Session.SessionID))
    {
        cookie.Value = context.Session.SessionID;
        if (rootDomain != "localhost")
        {
            cookie.Domain = rootDomain;
        }
        cookie.Path = "/";
    }
}

Please refer below link :

https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains

Thanks.

Thanks for the response. 

In this case cookie is create on my domain. But I want to store custom domain cookie on the browse. So next time user redirect to custom domain, user will be automatically logged in. 

Answer 3

User-719153870 posted

Hi NewUser2017,

So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)

For security issues, this kind of option is forbidden. Which you can refer to Same-origin Policy.

And for hwow cookie work, please refer to:How cookie work.

For your case, i suggest you can use SSO according to your description.

Best Regard,

Yang Shen

Answer 4

User-1038772411 posted

Hello, NewUser2017

Well, if you want to store custom cookie after close browser, then we use  FormsAuthentication to set it.

Kindly please refer below link how to store cookies in browser. 

https://stackoverflow.com/questions/14922822/using-cookies-to-auto-login-a-user-in-asp-net-custom-login

Thanks.

Answer 5

User475983607 posted

This is a duplicate post.

https://forums.asp.net/p/2158782/6274439.aspx?Re+Single+sign+on+using+custom+API

As illustrated in your other similar thread, this approach will not work.  Application A must pass information to Application B via an HTTP GET (or POST).  Application B verifies the HTTP GET information, usually by making a request to Application A.  If the information is valid then Application B returns an auth cookie to the browser.