locked
Multi domain cookie based authentication RRS feed

  • Question

  • User-1959381502 posted

    I want to create a cookie based authentication functionality. 

    There are two web  applications and login details are same for both applications. When user logged in to the application A(client application) it will send a web request(HttpWebRequest) to application B(my API). This request will contain encrypted login details. Then application B will do the authentication and update application A. (B create auth cookie and send it to A )

    So at the moment user is still at application A. 

    And there are multiple operation in application A which will redirect user to application B. If this happen user must automatically logged in to application B. In these redirection login credentials are not provided.

    Below is the web request on application B

    var http = (HttpWebRequest)WebRequest.Create(new Uri(baseAddress));
                http.Method = "POST";
                CookieContainer cookieContainer = new CookieContainer();
                http.CookieContainer = cookieContainer;
    //include the post data
                var response = (HttpWebResponse)http.GetResponse();
    
                foreach (Cookie cook in response.Cookies)
                {
                    Response.Cookies.Add(new System.Web.HttpCookie(cook.Name, cook.Value)
                    {
                        Domain = cook.Domain,
                        Expires = cook.Expires
                    });
                }

    So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)

    Friday, August 16, 2019 5:24 AM

Answers

  • User475983607 posted

    This is a duplicate post.

    https://forums.asp.net/p/2158782/6274439.aspx?Re+Single+sign+on+using+custom+API

    As illustrated in your other similar thread, this approach will not work.  Application A must pass information to Application B via an HTTP GET (or POST).  Application B verifies the HTTP GET information, usually by making a request to Application A.  If the information is valid then Application B returns an auth cookie to the browser.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, August 16, 2019 12:55 PM

All replies

  • User-1038772411 posted

    Hello, NewUser2017

    How to share session state across Domains & subdomains and multidomain.

    void context_PostRequestHandlerExecute(object sender, EventArgs e)
    {
        HttpApplication context = (HttpApplication)sender;
        HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"];
     
        if (context.Session != null &&
            !string.IsNullOrEmpty(context.Session.SessionID))
        {
            cookie.Value = context.Session.SessionID;
            if (rootDomain != "localhost")
            {
                cookie.Domain = rootDomain;
            }
            cookie.Path = "/";
        }
    }

    Please refer below link :

    https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains

    Thanks.

    Friday, August 16, 2019 6:09 AM
  • User-1959381502 posted

    Hello, NewUser2017

    How to share session state across Domains & subdomains and multidomain.

    void context_PostRequestHandlerExecute(object sender, EventArgs e)
    {
        HttpApplication context = (HttpApplication)sender;
        HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"];
     
        if (context.Session != null &&
            !string.IsNullOrEmpty(context.Session.SessionID))
        {
            cookie.Value = context.Session.SessionID;
            if (rootDomain != "localhost")
            {
                cookie.Domain = rootDomain;
            }
            cookie.Path = "/";
        }
    }

    Please refer below link :

    https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains

    Thanks.

    Thanks for the response. 

    In this case cookie is create on my domain. But I want to store custom domain cookie on the browse. So next time user redirect to custom domain, user will be automatically logged in. 

    Friday, August 16, 2019 6:40 AM
  • User-719153870 posted

    Hi NewUser2017,

    So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)

    For security issues, this kind of option is forbidden. Which you can refer to Same-origin Policy.

    And for hwow cookie work, please refer to:How cookie work.

    For your case, i suggest you can use SSO according to your description.

    Best Regard,

    Yang Shen

    Friday, August 16, 2019 8:50 AM
  • User-1038772411 posted

    Hello, NewUser2017

    Well, if you want to store custom cookie after close browser, then we use  FormsAuthentication to set it.

    Kindly please refer below link how to store cookies in browser. 

    https://stackoverflow.com/questions/14922822/using-cookies-to-auto-login-a-user-in-asp-net-custom-login

    Thanks.

    Friday, August 16, 2019 9:26 AM
  • User475983607 posted

    This is a duplicate post.

    https://forums.asp.net/p/2158782/6274439.aspx?Re+Single+sign+on+using+custom+API

    As illustrated in your other similar thread, this approach will not work.  Application A must pass information to Application B via an HTTP GET (or POST).  Application B verifies the HTTP GET information, usually by making a request to Application A.  If the information is valid then Application B returns an auth cookie to the browser.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, August 16, 2019 12:55 PM