Cross Domain Cookies
Posted on 2004-11-12
I have 3 ASP.NET web sites running on 3 different domains (a.com, b.com, c.com - not just different subdomains) that need to have a single-sign on set up. In other words, I need to have the user log in (which sets a "logged in" value in Session) to one domain and then either be logged in to the other domains by having the session get updated on the other 2 web sites, or have a browser cookie set that allows the user to bypass the login when they get to one of the other sites.
We have tried redirecting the user to each site upon login to get them logged in to each site, but I have encountered a problem. One of the sites has an https: login page and the others do not, and that site is the only one that even has an SSL certificate. So, when the user is redirected to the other sites it works fine, but when they are then redirected back to the https: login page, the login freezes and times out. So, it appears that since we have a problem automatically redirecting from HTTP to HTTPs, I thought we should try the cookie method.
Right now, I have setup a database table that stores a GUID and the user's ID. I create a cookie on login for each of the sites, set the cookie's domain to the domain of the site that will be grabbing it, and give it the GUID as the value. So, then when the user goes to another site, I want to get the GUID from the cookie, look up their user ID in the database, and automatically log them in. This is great in theory, but the other sites don't seem to recognize the cookies that were created in the other domain, even though I explicitly specified the new domain upon creation of the cookie. (In other words, I create the cookie on a.com with a domain value set to b.com, and then when the browser gets to b.com it can't see the cookie).
I have read that cookies can be used across different domains as long as you set the domain - is this true, or is that only true for subdomains? If it is only true for subdomains, all the solutions I find for SSO on the net seem to involve redirection, which doesn't work for us, so I don't know how to get this SSO working.
Any help would be appreciated. Thanks.