Answered by:
Multi domain cookie based authentication

Question
-
User-1959381502 posted
I want to create a cookie based authentication functionality.
There are two web applications and login details are same for both applications. When user logged in to the application A(client application) it will send a web request(HttpWebRequest) to application B(my API). This request will contain encrypted login details. Then application B will do the authentication and update application A. (B create auth cookie and send it to A )
So at the moment user is still at application A.
And there are multiple operation in application A which will redirect user to application B. If this happen user must automatically logged in to application B. In these redirection login credentials are not provided.
Below is the web request on application B
var http = (HttpWebRequest)WebRequest.Create(new Uri(baseAddress)); http.Method = "POST"; CookieContainer cookieContainer = new CookieContainer(); http.CookieContainer = cookieContainer; //include the post data var response = (HttpWebResponse)http.GetResponse(); foreach (Cookie cook in response.Cookies) { Response.Cookies.Add(new System.Web.HttpCookie(cook.Name, cook.Value) { Domain = cook.Domain, Expires = cook.Expires }); }
So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)
Friday, August 16, 2019 5:24 AM
Answers
-
User475983607 posted
This is a duplicate post.
https://forums.asp.net/p/2158782/6274439.aspx?Re+Single+sign+on+using+custom+API
As illustrated in your other similar thread, this approach will not work. Application A must pass information to Application B via an HTTP GET (or POST). Application B verifies the HTTP GET information, usually by making a request to Application A. If the information is valid then Application B returns an auth cookie to the browser.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, August 16, 2019 12:55 PM
All replies
-
User-1038772411 posted
Hello, NewUser2017
How to share session state across Domains & subdomains and multidomain.
void context_PostRequestHandlerExecute(object sender, EventArgs e) { HttpApplication context = (HttpApplication)sender; HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"]; if (context.Session != null && !string.IsNullOrEmpty(context.Session.SessionID)) { cookie.Value = context.Session.SessionID; if (rootDomain != "localhost") { cookie.Domain = rootDomain; } cookie.Path = "/"; } }
Please refer below link :
https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains
Thanks.
Friday, August 16, 2019 6:09 AM -
User-1959381502 posted
Hello, NewUser2017
How to share session state across Domains & subdomains and multidomain.
void context_PostRequestHandlerExecute(object sender, EventArgs e) { HttpApplication context = (HttpApplication)sender; HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"]; if (context.Session != null && !string.IsNullOrEmpty(context.Session.SessionID)) { cookie.Value = context.Session.SessionID; if (rootDomain != "localhost") { cookie.Domain = rootDomain; } cookie.Path = "/"; } }
Please refer below link :
https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains
Thanks.
Thanks for the response.
In this case cookie is create on my domain. But I want to store custom domain cookie on the browse. So next time user redirect to custom domain, user will be automatically logged in.
Friday, August 16, 2019 6:40 AM -
User-719153870 posted
Hi NewUser2017,
So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)For security issues, this kind of option is forbidden. Which you can refer to Same-origin Policy.
And for hwow cookie work, please refer to:How cookie work.
For your case, i suggest you can use SSO according to your description.
Best Regard,
Yang Shen
Friday, August 16, 2019 8:50 AM -
User-1038772411 posted
Hello, NewUser2017
Well, if you want to store custom cookie after close browser, then we use FormsAuthentication to set it.
Kindly please refer below link how to store cookies in browser.
Thanks.
Friday, August 16, 2019 9:26 AM -
User475983607 posted
This is a duplicate post.
https://forums.asp.net/p/2158782/6274439.aspx?Re+Single+sign+on+using+custom+API
As illustrated in your other similar thread, this approach will not work. Application A must pass information to Application B via an HTTP GET (or POST). Application B verifies the HTTP GET information, usually by making a request to Application A. If the information is valid then Application B returns an auth cookie to the browser.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, August 16, 2019 12:55 PM