I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie.
We are using and have no plan to stop using ASP.Net Membership and Profiles. Is this possible? A hack would even be greatly appreciated.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It is not possible with out of the box ASP.NET.
Forms based authentication is based on a cookie and cookies can only be set to a specific domain.
If you want true cross domain (not sub domains) shared authentication, you need a Single Sign On solution.
I’ve rolled my own and it’s relatively simple. The basic principle is that you have a master domain which holds your authentication cookie (ticket). You then redirect to that domain from all other domains. It’s not really pretty, but event Microsoft Passport worked that way.
You can find a lot of examples on the net, take a look at these two links:
Method 2
You may setup all these domains as sub-domains for your company:
www.company.com shop.company.com sales.company.com research.company.com ..
then you will be able to set cookie to the parent domain and it will be visible for all sub-domains.
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket); cookie.Domain = ".company.com"; Repsonse.Cookies.Add(cookie);
Regards,
Max Chernyshov
http://prontocoder.com
Method 3
Not only with ASP.Net is this not possible, but not at all. Cookies are always domain-specific – no commercial browser will work any other way. This is by design and very much necessary to prevent widespread abuse of cookies.
Muerte pointed you into the right direction (single sign-on).
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0