Proper creation of a cross-domain forms authentication cookie

后端 未结 1 1835
情话喂你
情话喂你 2020-12-09 21:51

I\'m just creating a simple test between two server. Basically if a user has already authenticated I want to be able to pass them between applications. I changed the keys

相关标签:
1条回答
  • 2020-12-09 22:46

    What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for ?

    There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx . This will work provided your cookie matches the configuration of your web.config

    Is the below code valid for creating a cross domain authentication cookie ?

    I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )

    1. here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
    2. FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior

    Your code should just be :

    if (authenticated)
    {  
      bool isPersistent = whateverIwant;
      FormsAuthentication.SetAuthCookie(userName, isPersistent );
      Response.Redirect("successpage.aspx");
    }
    

    Do I have my web.config setup properly?

    It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )

    I would change the timeout and slidingExpiration attributes to :

     <forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
    

    I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See https://stackoverflow.com/a/3748723/1236044 for more info

    0 讨论(0)
提交回复
热议问题