M
Martin
I'm experiencing some problems with role-based forms authentication accross
domain.
I wanted to create an unique login page for multiple web server running
different applications.
My first server is www.mydomain.com
The second one is www1.mydomain.com
The third one is www2.mydomain.com
I made a login.aspx page on www.mydomain.com and set all web.config so that
the user is redirected to this unique page. All the machineKey have been set
to the same value on each server.
The authentication cookie domain is ".mydomain.com" and everything is
working fine. When I log in on the first server, I can navigate through each
servers.
My problem is that when I want to log off, I need to delete the
authentication cookie. The cookie is not persistent and is set to expire
after 20 minutes but i want to enforce the deletion. I tried to use the
FormsAuthentication.SignOut() Method but it would not delete a cookie
generated across the full domain (this method work fine if I set my cookie
domain to www.mydomain.com but then i can't share it accross my
applications). I tried to remove the cookie from the request or from the
response using Request.Cookies or Response.Cookies collections but nothing
happens.
The only solution I found was to create a new authentication cookie which
domain is ".mydomain.com" and in which I store an non-existent user with an
incorrect role and to send it to the client. The previous cookie seems to be
overwrited and as the information stored in my authentication cookie are
irrelevant, the user is sent back to the login page. I was wondering if
there was any more satisfaying solution.
Thanx for any help.
Martin.
domain.
I wanted to create an unique login page for multiple web server running
different applications.
My first server is www.mydomain.com
The second one is www1.mydomain.com
The third one is www2.mydomain.com
I made a login.aspx page on www.mydomain.com and set all web.config so that
the user is redirected to this unique page. All the machineKey have been set
to the same value on each server.
The authentication cookie domain is ".mydomain.com" and everything is
working fine. When I log in on the first server, I can navigate through each
servers.
My problem is that when I want to log off, I need to delete the
authentication cookie. The cookie is not persistent and is set to expire
after 20 minutes but i want to enforce the deletion. I tried to use the
FormsAuthentication.SignOut() Method but it would not delete a cookie
generated across the full domain (this method work fine if I set my cookie
domain to www.mydomain.com but then i can't share it accross my
applications). I tried to remove the cookie from the request or from the
response using Request.Cookies or Response.Cookies collections but nothing
happens.
The only solution I found was to create a new authentication cookie which
domain is ".mydomain.com" and in which I store an non-existent user with an
incorrect role and to send it to the client. The previous cookie seems to be
overwrited and as the information stored in my authentication cookie are
irrelevant, the user is sent back to the login page. I was wondering if
there was any more satisfaying solution.
Thanx for any help.
Martin.