I have set up 2 websites on the same domain at the moment (for example, test.mainsite.com/site1 and test.mainsite.com/site2).
I have been trying to achieve an SSO between them and think that I have it working, but I want to make sure that I am not creating any security holes. I will highlight the changes I made to each application and ask for advice/comments:
Both web.configs have a machine key defined with the same validationKey, decryptionKey, and validation.
Both web.confgs have the same forms authentication definition.
<forms timeout="1440" loginUrl="~/Login.aspx" name="formscookiename1" path="/"/>
On the login page of my site 1, I create the Formauth and cookie as such:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( loginname, true, 720 );
string strEncrypted = FormsAuthentication.Encrypt( ticket );
HttpCookie hc = new HttpCookie( FormsAuthentication.FormsCookieName, strEncrypted );
hc.Expires = DateTime.Now.AddHours( 8);
Response.Cookies.Add( hc );
What I found is that as long as the machinekey info is the same, and the formscookie name is the same, I was able to login to site 1 and automatically be logged into site 2 when I hit that site.
Also, the logout page with this code in it;
successfully signed out of both sites.
My question really is then, have I done this right? Are there any mistakes made here that would open up a security hole in the 2 sites (i.e can cookies be copied etc..).