Bobby X
asked on
ASP.NET - Configuring Forms Authentication in web.config
I have an ASP.NET Web Site built in .NET 4.7 using C#. In my web.config, I have the following Forms authentication (see web.config below) with the "domain" attribute set to ".mydomain.com" for my Production environment. Is there a way to dynamically change its value (via C#) based on the environment, such as QA, Staging, etc. For example, if (Request.Url.AbsoluteUri.S tartsWith( "http://qa")), then I want to change the value of the "domain" attribute to ".myqadomain.com", and if (Request.Url.AbsoluteUri.S tartsWith( "http://staging")), change the value to ".mystagingdomaincom".
Here's the <authentication> section of my web.config:
<authentication mode="Forms">
<forms path="/" name="MyWebSite_Auth" loginUrl="~/login.aspx" defaultUrl="~/customers/De fault.aspx " protection="All" slidingExpiration="true" domain=".mydomain.com" timeout="350" cookieless="UseCookies"/>
</authentication>
Please provide the necessary C# code to accomplish this.
Many thanks in advance.
Here's the <authentication> section of my web.config:
<authentication mode="Forms">
<forms path="/" name="MyWebSite_Auth" loginUrl="~/login.aspx" defaultUrl="~/customers/De
</authentication>
Please provide the necessary C# code to accomplish this.
Many thanks in advance.
Why don't you simply delete the domain attribute?
ASKER
The definition of the domain attribute is:
When using cookie-based authentication tickets, this setting specifies the cookie's domain value. The default value is an empty string, which causes the browser to use the domain from which it was issued (such as www.yourdomain.com). In this case, the cookie will not be sent when making requests to subdomains, such as admin.yourdomain.com. If you want the cookie to be passed to all subdomains you need to customize the domain attribute setting it to yourdomain.com.
So what if my QA and Staging environments are in a subdomain, such as qa.mydomain.com, staging.mydomain.com?
When using cookie-based authentication tickets, this setting specifies the cookie's domain value. The default value is an empty string, which causes the browser to use the domain from which it was issued (such as www.yourdomain.com). In this case, the cookie will not be sent when making requests to subdomains, such as admin.yourdomain.com. If you want the cookie to be passed to all subdomains you need to customize the domain attribute setting it to yourdomain.com.
So what if my QA and Staging environments are in a subdomain, such as qa.mydomain.com, staging.mydomain.com?
The browser creates the cookie for the domain that issued the cookie.
If the domain is "qa" then the cookie was created for "qa". If it is "prod" it is created for this one.
If the domain is "qa" then the cookie was created for "qa". If it is "prod" it is created for this one.
ASKER
I apologize for the confusion. Here’s my situation: my boss just told me that my development environment will have its own totally different domain and sub-domain, for example, dev.somedomain.net, whereas Production will have mydomain.com, QA will have qa.mydomain.com and Staging will have staging.mydomain.com, so when the site is run in dev, the “domain” attribute needs to be set to “.somedomain.net” and for all other environments the value must be set to “.mydomain.com”, right?
If you put a domain = mydomin.com, then, not qa.mydomain.com or stagging.mydomain.com. The cookie would not be sent to either of them because it is configured only for mydomain.com.
Well, now assuming you change the domain dynamically. If the domain starts with "qa" then you change it qamydomain.com. Same for stggingmydomain. I ask you: Are you not doing the same as if you did not have the domain parameter?
Well, now assuming you change the domain dynamically. If the domain starts with "qa" then you change it qamydomain.com. Same for stggingmydomain. I ask you: Are you not doing the same as if you did not have the domain parameter?
ASKER
Hi, I am sorry I don’t understand what you meant. Can you be more specific?
If I remove the “domain” attribute, will it work for all the different environments as mentioned above?
Is possible to dynamically change the value? If yes, could you please provide the C# code?
If I remove the “domain” attribute, will it work for all the different environments as mentioned above?
Is possible to dynamically change the value? If yes, could you please provide the C# code?
What I want to tell you is that if you set the parameter domain = ". Mydomain.com" you are restricting the creation of the cookie to only the root domain. For this reason, qa.mydomain.com and sttaging.mydomain.com could not authenticate because you have not authorized the subdomains of mydomain.com. For this reason, you want to dynamically change the domain parameter.
If you remove that parameter you are achieving what you want without a line of code.
I hope you could understand me. My English is not like my Spanish. :)
.
If you remove that parameter you are achieving what you want without a line of code.
I hope you could understand me. My English is not like my Spanish. :)
.
If you still have to put the domain, do it as follows after doing FormsAuthentication.SetAut hCookie:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = ".domain.com";
Response.Cookies.Add (cookie);
ASKER
So for Development environment, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut hCookie (username, true);
cookie.Domain = "dev.somedomain.net";
Response.Cookies.Add (cookie);
For QA environment, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut hCookie (username, true);
cookie.Domain = "qa.mydomain.com";
Response.Cookies.Add (cookie);
For Staging, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut hCookie (username, true);
cookie.Domain = "staging.mydomain.com";
Response.Cookies.Add (cookie);
For Production, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut hCookie (username, true);
cookie.Domain = "mydomain.com";
Response.Cookies.Add (cookie);
Is this right?
HttpCookie cookie = FormsAuthentication.GetAut
cookie.Domain = "dev.somedomain.net";
Response.Cookies.Add (cookie);
For QA environment, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut
cookie.Domain = "qa.mydomain.com";
Response.Cookies.Add (cookie);
For Staging, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut
cookie.Domain = "staging.mydomain.com";
Response.Cookies.Add (cookie);
For Production, I need to have:
HttpCookie cookie = FormsAuthentication.GetAut
cookie.Domain = "mydomain.com";
Response.Cookies.Add (cookie);
Is this right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If I remove the “domain” attribute, will it work for all the different environments as mentioned above?
Yes
ASKER
Ok I will try both solutions tomorrow when I return to work and will let you know.
This kind of environmental configuration is typically handled via config transforms. I would start there.
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/deployment/visual-studio-web-deployment/web-config-transformations
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/deployment/visual-studio-web-deployment/web-config-transformations