ronin83
asked on
ASPNETDB login control not logging user into "www.domain.com" when user is at "domain.com"
I'm using the ASPNETDB user database in visual studio 2005 with login controls to log users into their accounts, generally works pretty flawlessly out of the back with some click and drags.
the problem i'm having is that when a user is at my site via THIS URL "http://domain.com" they only get logged in (cookies) to that exact domain. the user can then travel around "http://domain.com" endlessly while remaining logged in.
however if the user then adds a "www." for an equivalent of "http://www.domain.com" they are suddenly not logged in anymore. it's very clear that my login, for whatever reason, is making a distinction between the two.
how can i stop this? it's very annoying.
thanks in advance for any help anyone might provide, i'll make sure to mark the answer
the problem i'm having is that when a user is at my site via THIS URL "http://domain.com" they only get logged in (cookies) to that exact domain. the user can then travel around "http://domain.com" endlessly while remaining logged in.
however if the user then adds a "www." for an equivalent of "http://www.domain.com" they are suddenly not logged in anymore. it's very clear that my login, for whatever reason, is making a distinction between the two.
how can i stop this? it's very annoying.
thanks in advance for any help anyone might provide, i'll make sure to mark the answer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it looks like the below pasted portion applies to my issue, but i'm a beginner and can't figure out exactly what he's telling me to do. am i supposed to integrate this code somehow with my login control? do you have time to tell me how?
------------------
3. SSO for two applications in two sub-domains of the same domain
Now what if Foo and Bar are configured to run under different domains http://foo.com and http://bar.foo.com. The code above will not work because the cookies will be stored in different files and will not be visible to both applications. In order to make it work, we will need to create domain-level cookies that are visible to all sub-domains. We can’t use RedirectFromLoginPage method anymore, since it doesn’t have the flexibility to create a domain-level cookie. So we do it manually:
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(
HttpCookie cookie = new HttpCookie(".BarAuth");
cookie.Value = FormsAuthentication.Encryp
cookie.Expires = fat.Expiration;
cookie.Domain = ".foo.com";
HttpContext.Current.Respon
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(
HttpCookie cookie = new HttpCookie(".FooAuth");
cookie.Value = FormsAuthentication.Encryp
cookie.Expires = fat.Expiration;
cookie.Domain = ".foo.com";
HttpContext.Current.Respon
Note the highlighted lines. By explicitly setting the cookie domain to ".foo.com" we ensure that this cookie will be visible in both http://foo.com and http://bar.foo.com or any other sub-domain. You can also specifically set the Bar authentication cookie domain to "bar.foo.com". It is more secure, since other sub-domains can’t see it now. Also notice that RFC 2109 requires two periods in the cookie domain value, therefore we add a period in the front – ".foo.com"
Again, make sure that you have the same <machineKey> element in web.config of both applications. There is only one exception to this rule and it is explained in the next secion.
------------------
3. SSO for two applications in two sub-domains of the same domain
Now what if Foo and Bar are configured to run under different domains http://foo.com and http://bar.foo.com. The code above will not work because the cookies will be stored in different files and will not be visible to both applications. In order to make it work, we will need to create domain-level cookies that are visible to all sub-domains. We can’t use RedirectFromLoginPage method anymore, since it doesn’t have the flexibility to create a domain-level cookie. So we do it manually:
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(
HttpCookie cookie = new HttpCookie(".BarAuth");
cookie.Value = FormsAuthentication.Encryp
cookie.Expires = fat.Expiration;
cookie.Domain = ".foo.com";
HttpContext.Current.Respon
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(
HttpCookie cookie = new HttpCookie(".FooAuth");
cookie.Value = FormsAuthentication.Encryp
cookie.Expires = fat.Expiration;
cookie.Domain = ".foo.com";
HttpContext.Current.Respon
Note the highlighted lines. By explicitly setting the cookie domain to ".foo.com" we ensure that this cookie will be visible in both http://foo.com and http://bar.foo.com or any other sub-domain. You can also specifically set the Bar authentication cookie domain to "bar.foo.com". It is more secure, since other sub-domains can’t see it now. Also notice that RFC 2109 requires two periods in the cookie domain value, therefore we add a period in the front – ".foo.com"
Again, make sure that you have the same <machineKey> element in web.config of both applications. There is only one exception to this rule and it is explained in the next secion.
3. SSO for two applications in two sub-domains of the same domain
Now what if Foo and Bar are configured to run under different domains http://foo.com and http://bar.foo.com. The code above will not work because the cookies will be stored in different files and will not be visible to both applications. In order to make it work, we will need to create domain-level cookies that are visible to all sub-domains. We can’t use RedirectFromLoginPage method anymore, since it doesn’t have the flexibility to create a domain-level cookie. So we do it manually:
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, "johnd", DateTime.Now, DateTime.Now.AddYears(1), true, "");
HttpCookie cookie = new HttpCookie(".BarAuth");
cookie.Value = FormsAuthentication.Encrypt(fat);
cookie.Expires = fat.Expiration;
cookie.Domain = ".foo.com";
HttpContext.Current.Response.Cookies.Add(cookie);
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, "John Doe", DateTime.Now, DateTime.Now.AddYears(1), true, "");
HttpCookie cookie = new HttpCookie(".FooAuth");
cookie.Value = FormsAuthentication.Encrypt(fat);
cookie.Expires = fat.Expiration;
cookie.Domain = ".foo.com";
HttpContext.Current.Response.Cookies.Add(cookie);
Note the highlighted lines. By explicitly setting the cookie domain to ".foo.com" we ensure that this cookie will be visible in both http://foo.com and http://bar.foo.com or any other sub-domain. You can also specifically set the Bar authentication cookie domain to "bar.foo.com". It is more secure, since other sub-domains can’t see it now. Also notice that RFC 2109 requires two periods in the cookie domain value, therefore we add a period in the front – ".foo.com"
Again, make sure that you have the same <machineKey> element in web.config of both applications. There is only one exception to this rule and it is explained in the next secion.
ASKER