Click here to Skip to main content
12,884,771 members (31,454 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as

Stats

37.5K views
30 bookmarked
Posted 18 Aug 2011

Single Sign On Between Sub Domains: Forms Authentication

, 18 Aug 2011 CPOL
Rate this:
Please Sign up or sign in to vote.
Single Sign On Between Sub Domains: Forms Authentication

Today, I am going to discuss one of the features that I was working on for the last few days and spent sleepless nights at office and home as well. Here, I am going to discuss Single Sign On (SSO) feature as every other developer implements SSO on some or the other day.

So actually, I was having two applications. The requirement was like, user logins from one application and on clicking a link, it is navigated to another application. So when user clicks on the link, it is redirected to application2, it checks whether the user is authenticated or not. If authenticated, it can access application2 else gets redirected to the first application for Authentication. And once authenticated again, directly reaches the second application.

Here, both my applications were Web applications and form Authentication is used to authenticate the user. I had to devise some solution to implement SSO. I didn’t want to use the authentication code written on both applications so I used the first application only for Authentication. I thought of using the same authentication cookie that was created by the first application after authentication. And implemented this.

It worked very well. I was able to read the authentication cookie in another application and wrote the logic accordingly. I deployed both applications on my local machine and Test QA Server and it worked like a charm.

But… as soon as my application went into the actual test environment, it started barfing. Nothing was working. No SSO.. Nothing..

Actually, what happened was that both the applications were deployed on different web servers in different domains. Like my first application has URL like app1.mydomain.com and another one app2.mydomain.com.

As I was not aware earlier, I didn’t keep it in mind. As we know by default, cookie is limited to domain. I was not able to access auth cookie in application2 as it was in a separate domain. After some research on the Internet, I happened to make the changes in auth cookie and updated the domain property as I found solutions on Google. The code was like:

System.Web.HttpCookie MyCookie =
       System.Web.Security.FormsAuthentication.GetAuthCookie(User.Identity.Name.ToString(),
                                                             false);
MyCookie.Domain = ".mydomain.com";//the second level domain name
Response.AppendCookie(MyCookie); 

You can find it easily on the internet. But the actual nightmare started after this only. Users were not able to logout. It kept looping as I checked in Fiddler and finally redirection error. I started searching on the internet and found lots of people have problems but no thread ended with the proper solution. I found at some places the auth cookie doesn’t get deleted if domain is set. Some workarounds were there, like deleting the auth cookie manually when user logs out. But this also didn’t work. And ultimately, I did not find any solution on internet.

So I did some brainstorming. Actually, there is a method provided as...

FormsAuthentication.SignOut()

...which is supposed to logout the user once called but it was not doing it. Actually, as suggested over the internet, I set the domain for Auth cookie. Which was creating some problem? FormAutetication itself provides a way to set the domain for cookie. This is a static property of the FormAuthentication Class. But this is read only. One needs to set it in web.config file and it will also be easy. You can change the domain whenever you want. So one can set it as:

<forms name=".ASPXAUTH" 
loginUrl="Login/" protection="Validation" 
timeout="120" path="/" domain=".mydomain.com"/>

After setting my application again, it started working perfectly fine. So I wanted to share this with all of you. One does not need to update the cookie manually as I did in the first code sample above and later delete it while logging out. It may not work. Just one needs to set the domain at config file, one will be away from this endless problem and surfing the Internet.

Hope this helps!

Thanks for reading!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Brij
Software Developer (Senior)
India India
Brij is a 3-times Microsoft MVP in ASP.NET/IIS Category and a passionate .NET developer. More than 6 years of experience in IT field, currently serving a MNC as a Tech Lead/Architect.

He is a very passionate .NET developer and have expertise over Web technologies like ASP.NET 2.0/3.5/4.0, jQuery, JSON, Javascript, IIS and related technologies. He is also a Exchange Server (EWS) Specialist. He has great experience in design patterns and N-Tier Architecture.

He is also certified as Microsoft Certified Technologies Specialist-ASP.NET and Microsoft Certified Technologies Specialist-WCF in .NET 4.0. He has also received several awards at various forums and his various articles got listed as "Article of the day" at ASP.NET Microsoft Official Website www.asp.net.

He has done MCA from NIT Durgapur and completed his graduation from Lucknow University.

Learning new technologies and sharing knowledge excites him most. Blogging, solving problems at various forums, helping people, keeps him busy entire day.


Visit his Blog: Code Wala

Area of Expertise :
C#, ASP.NET 2.0,3.5,4.0, AJAX, JQuery, JSON, XML, XSLT, ADO.Net, WCF, Active Directory, Exchange Server 2007 (EWS), Java script, Web Services ,Win services, DotnetNuke, WSS 3.0,Sharepoint Designer, SQL Server 2000/2005/2008

You may also be interested in...

Pro

Comments and Discussions

 
QuestionWhere to paste this code Pin
Member 1186643927-Jul-15 5:04
memberMember 1186643927-Jul-15 5:04 
Questionsubdomains single sign on in asp.net Pin
wissamtannous2-Oct-13 22:16
memberwissamtannous2-Oct-13 22:16 
QuestionI think if you set it manually (and not at web.config)... Pin
Ankur\m/23-Apr-12 3:04
memberAnkur\m/23-Apr-12 3:04 
QuestionUseful article. Pin
BinhNhi0910-Feb-12 6:03
memberBinhNhi0910-Feb-12 6:03 
Thanks.
AnswerRe: Useful article. Pin
Brij11-Feb-12 22:34
mentorBrij11-Feb-12 22:34 
GeneralMy vote of 5 Pin
B Madan28-Dec-11 20:53
memberB Madan28-Dec-11 20:53 
GeneralRe: My vote of 5 Pin
Brij23-Apr-12 5:46
mentorBrij23-Apr-12 5:46 
GeneralMy vote of 1 Pin
Seanlm767-Oct-11 9:31
memberSeanlm767-Oct-11 9:31 
GeneralRe: My vote of 1 Pin
Brij17-Oct-11 6:08
mvpBrij17-Oct-11 6:08 
GeneralMy vote of 5 Pin
_ Kunal Chowdhury _30-Aug-11 7:48
mvp_ Kunal Chowdhury _30-Aug-11 7:48 
GeneralRe: My vote of 5 Pin
Brij1-Sep-11 21:24
mvpBrij1-Sep-11 21:24 
GeneralMy vote of 5 Pin
JamesWittHurst22-Aug-11 12:22
memberJamesWittHurst22-Aug-11 12:22 
GeneralRe: My vote of 5 Pin
Brij23-Aug-11 3:34
mvpBrij23-Aug-11 3:34 
Questionquestion regarding for FormAuthentication settings in web.config Pin
Tridip Bhattacharjee18-Aug-11 20:07
memberTridip Bhattacharjee18-Aug-11 20:07 
AnswerRe: question regarding for FormAuthentication settings in web.config Pin
Brij19-Aug-11 23:39
mvpBrij19-Aug-11 23:39 
GeneralRe: question regarding for FormAuthentication settings in web.config Pin
Tridip Bhattacharjee14-Sep-11 21:00
memberTridip Bhattacharjee14-Sep-11 21:00 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170424.1 | Last Updated 18 Aug 2011
Article Copyright 2011 by Brij
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid