ASP.NET Identity Cookie across subdomains

c# authentication forms-authentication asp.net-identity

Solution 1:

In Startup.Auth.cs, you will see something like:

for RC:

app.UseSignInCookies();

This was removed in RTM and replaced with the explicit configuration of the cookie auth:

    app.UseCookieAuthentication(new CookieAuthenticationOptions {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login")
    });

The CookieAuthenticationOptions class has a CookieDomain property which is what you are looking for I believe.

Solution 2:

This was driving me crazy until I learned that Identity 2.0 still depends on the machine key to encrypt the Authentication cookie. So if you want two instances of the same application on different sub-domains then you need to set the same machine key for each application.

So in summary:

  1. CookieDomain = ".myapp.com"

  2. Set identical machine keys in each application's web config

    <system.web>
  <machineKey decryptionKey="EEEB09D446CCFE71B82631D37DEDCC917B8CB01EC315" validationKey="60E4EFE8DD26C4BF8CDAEDCA10716C85820839A207C56C8140DB7E32BE04630AD631EDF25C748D0F539918283C5858AF456DBE208320CFFA69244B4E589" />
</system.web>

This answer led me to setting the values: Does ASP.NET Identity 2 use machinekey to hash the password?

Solution 3:

You need to set up in web.config the same machineKey for ALL websites/applications.

All websites MUST HAVE at least this configuration.

http://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.85).aspx

<system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXAUTH" protection="Validation" path="/" domain=".myserver.dev" />
    </authentication>
    <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" decryption="Auto"/>
  </system.web>

This is an example

Solution 4:

In the Startup.Auth.cs file, add the CookieDomain parameter with your domain:

var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
    AuthenticationType  = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath           = new PathString("/Account/Login"),
    CookieDomain        = ".mydomain.com"
};

Then for all websites you need to set a unique machine key. The easiest way to generate a new one is using IIS:

Find the "Machine Key" option on your site:

enter image description here

Click the "Generate Keys" button to get your keys.

enter image description here

Finally, the above process will add the following to your web.config and you need to ensure that this is copied into each of your sites. 

<machineKey
  validationKey="DAD9E2B0F9..."
  decryptionKey="ADD1C39C02..."
  validation="SHA1"
  decryption="AES"
/>

Related

How to evaluate hosted full text search solutions?
How to specify the view location in asp.net core mvc when using custom locations?
Setting up enviromental variables in Windows 10 to use java and javac
What's the status of the HTML 5 <video> tag and webcam integration?
Binding vs Arrow-function (in JavaScript, or for react onClick)
Remove whitespace in Python using string.whitespace
how to exit a child process - _exit() vs. exit
How to convert UTC timestamp to device local time in android
How can I simulate a mouse click at a certain position on the screen?
Unable to track files within Git submodules
How to write regular expressions in Objective C (NSRegularExpression)?
Euler project #18 approach