• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7951
  • Last Modified:

Cross Domain Cookies

I have 3 ASP.NET web sites running on 3 different domains (a.com, b.com, c.com - not just different subdomains) that need to have a single-sign on set up.  In other words, I need to have the user log in (which sets a "logged in" value in Session) to one domain and then either be logged in to the other domains by having the session get updated on the other 2 web sites, or have a browser cookie set that allows the user to bypass the login when they get to one of the other sites.

We have tried redirecting the user to each site upon login to get them logged in to each site, but I have encountered a problem.  One of the sites has an https: login page and the others do not, and that site is the only one that even has an SSL certificate.  So, when the user is redirected to the other sites it works fine, but when they are then redirected back to the https: login page, the login freezes and times out.  So, it appears that since we have a problem automatically redirecting from HTTP to HTTPs, I thought we should try the cookie method.

Right now, I have setup a database table that stores a GUID and the user's ID.  I create a cookie on login for each of the sites, set the cookie's domain to the domain of the site that will be grabbing it, and give it the GUID as the value.  So, then when the user goes to another site, I want to get the GUID from the cookie, look up their user ID in the database, and automatically log them in.  This is great in theory, but the other sites don't seem to recognize the cookies that were created in the other domain, even though I explicitly specified the new domain upon creation of the cookie.  (In other words, I create the cookie on a.com with a domain value set to b.com, and then when the browser gets to b.com it can't see the cookie).  

I have read that cookies can be used across different domains as long as you set the domain - is this true, or is that only true for subdomains?  If it is only true for subdomains, all the solutions I find for SSO on the net seem to involve redirection, which doesn't work for us, so I don't know how to get this SSO working.  

Any help would be appreciated.  Thanks.
0
PvtJoker670
Asked:
PvtJoker670
2 Solutions
 
COBOLdinosaurCommented:
You cannot access the cookies cross domain for exactly the same reason you cannot do the http to https re-direct.  Its a security violation.  If it was possible to do what you want to do it would be a security hole the size of the grand canyon.

The only domain that can read a cookie is the domain that sets it.  It does not matter what domain name you set.  

If you need to have information passed between servers then set up trusted relationship server-to-server and transfer o the backend.  anything you try and do across the frontend is going to run into security issues.

Cd&
0
 
PvtJoker670Author Commented:
Actually all 3 of these sites are on the same server.  So, how should I get the information between them on the back-end as you suggest?  Thanks!  
0
 
COBOLdinosaurCommented:
I don't know Microsoft environments well enough to tell you how to set up the security.  but once you have it worked out they can use http requests server to server or perhaps just share a common resource of they ar on the same box.

Cd&
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kevp75Commented:
Cookies are domain specific, thay do not work across multiple domains.  Same thing with session variables.
To be honest with you, I would setup NTFS permissions to call for the login.  I believe that if the sites are on the same sever, and you have to click through the 3 of them, once NTFS permissions are set it will only ask for the login once.
0
 
Dave_DietzCommented:
Cookies are domain specific, session variables are session specific and can be lost on the same domain if you break your session and the sites being on the same server will in no way help you to get around this issue....

About the only way to handle this is to use a POST when redirecting the user and include either a querey string or form values to send the data to the next server.  

If you go cross domain you canot use cookies - if you go cross-session you can't use Session variables.

POST should work without much problem in either case.

Dave Dietz
0
 
zuckeraCommented:
you can always set the document location using javascript (or use HTML redirect command if http redirect doesn't work) with the GUID as a parameter to the login page.

another solution would be to include elements which point to all three domains on your login page (three images, or whatever) and through the src of these images send the GUID (as a parameter).  The response would be a cookie with the GUID. That would insure that all three domains have the same GUID, and it would insure that all three have the cookie.
I don't like this solution since you can't really be sure that all three cookies had been set and the visitor is actually logged in to all three domains.  But, given enough time, that should be the case.

HTH,

-zuck
0
 
COBOLdinosaurCommented:
Points to me IMHO.

Cd&
0
 
COBOLdinosaurCommented:
MOD,

When you finalize this please delete it.  I don't want the C grade.  I thought we were dealing with an adult here but apparently the user is not mature enough to accept that the universe will not be re-ordered for them.

Cd&

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now