Forms Authentication Cookie Expiration Problem for SSO

Discussion in 'ASP .Net Security' started by Graham Wert, Aug 5, 2009.

  1. Graham Wert

    Graham Wert Guest

    Let me describe my setup a little before I get into the problem. I
    have two web servers (www.mydomain.com and www2.mydomain.com) using
    Forms Authentication. On each web server I have a main application
    for authentication and numerous sub-apps. It looks kind of like this:

    www.mydomain.com
    |__MainApp (.Net 2.0)
    |__SubApp1 (.Net 1.1)
    |__SubApp2 (.Net 2.0)
    |__SubApp3 (.Net 2.0)

    www2.mydomain.com
    |__MainApp (.Net 2.0)
    |__SubApp1 (.Net 1.1)
    |__SubApp2 (.Net 2.0)
    |__SubApp3 (.Net 2.0)

    As you can see, I'm running a mix of .Net 1.1 and 2.0 applications on
    the same server. Now I've been trying to come up with a Single Sign-
    On (SSO) solution that works with this setup and I've partially
    succeeded. Because the domain attribute in the <forms /> tag is
    incompatible with .Net 1.1 (it causes the apps to throw an exception),
    I decided to programmatically set the domain of the forms
    authentication cookie generated. This works fine and I can navigate
    between the two servers without having to login again. The problem
    occurs when the server tries to reissue/renew the cookie and update
    its expiration with slidingExpiration enabled. The cookie I generate
    gets created with "mydomain.com" as the domain, but when the server
    tries to reissue it with a new expiration, it can't find it and
    generates a brand new cookie with "www.mydomain.com" as the domain.

    Is there anyway to have the server properly reissue the original
    cookie with the custom domain?
    Graham Wert, Aug 5, 2009
    #1
    1. Advertising

  2. Graham Wert

    Graham Wert Guest

    My solution was to add the Forms Authentication domain attribute to
    the global Web.config for the .Net 2.0 framework (C:\WINDOWS
    \Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.config). It doesn't
    fix the issue for my .Net 1.1 apps, but the majority of my apps are on
    2.0. I'll probably just use an HTTPModule to handle the sliding
    expiration for the .Net 1.1 apps.
    Graham Wert, Aug 8, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Do
    Replies:
    1
    Views:
    628
    George Durzi
    Nov 15, 2003
  2. Rippo
    Replies:
    18
    Views:
    1,095
  3. tparks69

    forms authentication ticket expiration problem

    tparks69, Feb 17, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    211
    tparks69
    Feb 17, 2005
  4. Prasad Dannani

    Forms Authentication Expiration Problem

    Prasad Dannani, Jul 7, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    168
  5. Eric
    Replies:
    2
    Views:
    459
Loading...

Share This Page