Forms Authentication across Sub-Domains

Is it possible to authenticate users across sub-domains when the authentication takes place at a sub-domain instead of the parent domain?

For example:

User logs into, and then we need to send them to

Can I authenticate them to the reporting site even though the log-in occured at a sub-domain?

So far all of the research I have done has users logging into the parent domain first and then each sub-domain has access to the authentication cookie.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

When you authenticate the user, set the authentication cookie’s domain to the second-level domain, i.e. Each sub-domain will receive the parent domain’s cookies on request, so authentication over each is possible since you will have a shared authentication cookie to work with.

Authentication code:

System.Web.HttpCookie authcookie = System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False);
authcookie.Domain = "";

Method 2

You can set the cookie to be the parent domain at authentication time but you have to explicitly set it, it will default to the full domain that you are on.

Once the auth cookie is correctly set to the parent domain, then all sub-domains should be able to read it.

Method 3

As a side note, I found that after using jro’s method which worked well +1, the FormsAuthenication.SignOut() method didn’t work when called from a subdomain other than www/. (I’m guessing because the .Domain property doesn’t match) – To get around this I used:

if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
                HttpCookie myCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
                myCookie.Domain = "";
                myCookie.Expires = DateTime.Now.AddDays(-1d);

Method 4

In addition to setting a cookie to parent domain also need to make sure that all sites (apps) have same validationKey and decryptionKey () so they all recognise each other’s authentication ticket and cookie. Pretty good article here

Method 5

Jro’s answer works fine. But make sure to update the webconfig forms authentication setting "domain"
, otherwise forms authentication signout will not work properly. Here is the signout issue I came across. Trick here is to have a ‘.’ as the prefix as the domain is set for the cookie as “” (use a cookie inspector).

<authentication mode="Forms">          
      <forms cookieless="UseCookies" defaultUrl="~/Default" loginUrl="~/user/signin" domain=""  name="FormAuthentication" path="/"/>

Method 6

Yes, sure. You may need to roll your own at some stages, but it should be doable.

One idea: as you redirect them across the boundary, give them a one-time pass token and then tell the receiving sub-domain to expect them (this user, from this IP, with this token).

Method 7

2 things to be done:

  1. MachineKey should be same in all web.config (main domain and sub domain(s))
  2. AuthenticationCookie domain name should be same.

Follow the following article for more depth.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x