Problems with form authentication

Discussion in 'ASP .Net Security' started by Martin, Sep 23, 2003.

  1. Martin

    Martin Guest

    I'm experiencing some problems with role-based forms authentication accross
    domain.
    I wanted to create an unique login page for multiple web server running
    different applications.
    My first server is www.mydomain.com
    The second one is www1.mydomain.com
    The third one is www2.mydomain.com
    I made a login.aspx page on www.mydomain.com and set all web.config so that
    the user is redirected to this unique page. All the machineKey have been set
    to the same value on each server.
    The authentication cookie domain is ".mydomain.com" and everything is
    working fine. When I log in on the first server, I can navigate through each
    servers.
    My problem is that when I want to log off, I need to delete the
    authentication cookie. The cookie is not persistent and is set to expire
    after 20 minutes but i want to enforce the deletion. I tried to use the
    FormsAuthentication.SignOut() Method but it would not delete a cookie
    generated across the full domain (this method work fine if I set my cookie
    domain to www.mydomain.com but then i can't share it accross my
    applications). I tried to remove the cookie from the request or from the
    response using Request.Cookies or Response.Cookies collections but nothing
    happens.

    The only solution I found was to create a new authentication cookie which
    domain is ".mydomain.com" and in which I store an non-existent user with an
    incorrect role and to send it to the client. The previous cookie seems to be
    overwrited and as the information stored in my authentication cookie are
    irrelevant, the user is sent back to the login page. I was wondering if
    there was any more satisfaying solution.

    Thanx for any help.

    Martin.
    Martin, Sep 23, 2003
    #1
    1. Advertising

  2. Try to change your authentication cookie domain
    from ".mydomain.com" to "mydomain.com" or only "mydomain"

    /Fredrik Normén NSQUARED2


    >-----Original Message-----
    >I'm experiencing some problems with role-based forms

    authentication accross
    >domain.
    >I wanted to create an unique login page for multiple web

    server running
    >different applications.
    >My first server is www.mydomain.com
    >The second one is www1.mydomain.com
    >The third one is www2.mydomain.com
    >I made a login.aspx page on www.mydomain.com and set all

    web.config so that
    >the user is redirected to this unique page. All the

    machineKey have been set
    >to the same value on each server.
    >The authentication cookie domain is ".mydomain.com" and

    everything is
    >working fine. When I log in on the first server, I can

    navigate through each
    >servers.
    >My problem is that when I want to log off, I need to

    delete the
    >authentication cookie. The cookie is not persistent and

    is set to expire
    >after 20 minutes but i want to enforce the deletion. I

    tried to use the
    >FormsAuthentication.SignOut() Method but it would not

    delete a cookie
    >generated across the full domain (this method work fine

    if I set my cookie
    >domain to www.mydomain.com but then i can't share it

    accross my
    >applications). I tried to remove the cookie from the

    request or from the
    >response using Request.Cookies or Response.Cookies

    collections but nothing
    >happens.
    >
    >The only solution I found was to create a new

    authentication cookie which
    >domain is ".mydomain.com" and in which I store an non-

    existent user with an
    >incorrect role and to send it to the client. The

    previous cookie seems to be
    >overwrited and as the information stored in my

    authentication cookie are
    >irrelevant, the user is sent back to the login page. I

    was wondering if
    >there was any more satisfaying solution.
    >
    >Thanx for any help.
    >
    >Martin.
    >
    >
    >.
    >
    Fredrik Normén NSQUARED, Sep 24, 2003
    #2
    1. Advertising

  3. Martin

    Martin Guest

    It doesn't change anything. Any other idea ?



    "Fredrik Normén NSQUARED" <> a écrit dans le message de
    news:15a501c38277$59335000$...
    Try to change your authentication cookie domain
    from ".mydomain.com" to "mydomain.com" or only "mydomain"

    /Fredrik Normén NSQUARED2


    >-----Original Message-----
    >I'm experiencing some problems with role-based forms

    authentication accross
    >domain.
    >I wanted to create an unique login page for multiple web

    server running
    >different applications.
    >My first server is www.mydomain.com
    >The second one is www1.mydomain.com
    >The third one is www2.mydomain.com
    >I made a login.aspx page on www.mydomain.com and set all

    web.config so that
    >the user is redirected to this unique page. All the

    machineKey have been set
    >to the same value on each server.
    >The authentication cookie domain is ".mydomain.com" and

    everything is
    >working fine. When I log in on the first server, I can

    navigate through each
    >servers.
    >My problem is that when I want to log off, I need to

    delete the
    >authentication cookie. The cookie is not persistent and

    is set to expire
    >after 20 minutes but i want to enforce the deletion. I

    tried to use the
    >FormsAuthentication.SignOut() Method but it would not

    delete a cookie
    >generated across the full domain (this method work fine

    if I set my cookie
    >domain to www.mydomain.com but then i can't share it

    accross my
    >applications). I tried to remove the cookie from the

    request or from the
    >response using Request.Cookies or Response.Cookies

    collections but nothing
    >happens.
    >
    >The only solution I found was to create a new

    authentication cookie which
    >domain is ".mydomain.com" and in which I store an non-

    existent user with an
    >incorrect role and to send it to the client. The

    previous cookie seems to be
    >overwrited and as the information stored in my

    authentication cookie are
    >irrelevant, the user is sent back to the login page. I

    was wondering if
    >there was any more satisfaying solution.
    >
    >Thanx for any help.
    >
    >Martin.
    >
    >
    >.
    >
    Martin, Sep 25, 2003
    #3
  4. Martin

    ARF F Guest

    I have exactly the same problem.

    I created a “single sign on” for multiple asp.net web applications
    running under subdomains by writing the authentication cookie using the
    parent domain name. However I can no longer log off within the
    subdomains using FormsAuthentication.SignOut call.

    I am guessing the signout might be defaulting to the subdomain in the
    current url and cannot find the authentication ticket that used the
    parent domain. Is there a method to set the parent domain name into the
    FormsAuthentication.SignOut process?

    Were you able to resolve this problem?


    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
    ARF F, Dec 10, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dom
    Replies:
    0
    Views:
    458
  2. Dom
    Replies:
    0
    Views:
    499
  3. Dave Smithz
    Replies:
    3
    Views:
    34,625
    mokker
    Oct 30, 2009
  4. Max
    Replies:
    2
    Views:
    1,092
  5. kitchai yong via .NET 247

    authenticate win32 form client with form based authentication web services

    kitchai yong via .NET 247, May 13, 2004, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    225
    Jan Tielens
    May 13, 2004
Loading...

Share This Page