发表新帖
发表新帖

Asp.net forms authentication and multiple domains

后端 未结
关注
3 1343
逝去的感伤
逝去的感伤 2020-11-27 02:41

I have two domains, domain1.com and domain2.com pointing at the same asp.net website which uses asp.net build in form authentication. The problem is that even if the domains

相关标签:
3条回答
  • 南旧
    2020-11-27 03:28

    What you're after is a Single Sign-on solution.

    As ASP.NET authentication is at it's heart generally cookie based, there are two things to look at:

    1. Set your cookies correctly.
    2. Bounce your users to the alternative domain during signup.

    Looking at both of these in more depth:

    1. Setting cookies correctly

    You need to ensure that ASP.NET is writing the authentication ticket cookies to the root domain, rather than the explicit domain this is done using the domain attribute of the forms element:

    <forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   domain=".example.com">
</forms>

    You should set your domain to ".example.com" - note the leading period - this is the key. This way requests to example.com and www.example.com will both read the cookie correctly, and authenticate the user.

    2. Bounce users to the alternative domain

    What we have implemented on a few sites that use a single sign on is a round trip login process. The user authenticates on the first domain, we encrypt the login details, and redirect them to a known page on the second domain, log them in there, and then redirect back to the original server.

    This client side redirection is important - cookies are only written when there is a response back to the client, and the browser has to visit the second domain to actually see the cookies.

    Other details to consider in this sort of set-up:

    1. You probably want to have a timeout on the encrypted sign-in details - so that recalling that URL from the browser history doesn't automatically log the user in.
    2. If the domains are on different servers, you will need to ensure that either the machine keys are configured the same, so that you can encrypt and decrypt the details correctly, or use some other shared key.
    3. You will probably want to have a mechanism in place to recall the users ReturnUrl from the original server so that you can send them back to the correct place.

    You could also take a look at "Forms Authentication Across Applications"

    0 讨论(0)
  • 难免孤独
    2020-11-27 03:38

    You could try setting cookieless="true".

    0 讨论(0)
  • 伪装坚强ぢ
    2020-11-27 03:42

    You should read Explained: Forms Authentication on MSDN. They cover Cross-Domain Authentication.

    0 讨论(0)
 看不清?
提交回复
热议问题