ASP.NET - Configuring Forms Authentication in web.config

WebAppDeveloper
WebAppDeveloper used Ask the Experts™
on
I have an ASP.NET Web Site built in .NET 4.7 using C#. In my web.config, I have the following Forms authentication (see web.config below) with the "domain" attribute set to ".mydomain.com" for my Production environment. Is there a way to dynamically change its value (via C#)  based on the environment, such as QA, Staging, etc. For example, if (Request.Url.AbsoluteUri.StartsWith("http://qa")), then I want to change the value of the "domain" attribute to ".myqadomain.com", and  if (Request.Url.AbsoluteUri.StartsWith("http://staging")), change the value to ".mystagingdomaincom".

Here's the <authentication> section of my web.config:
    <authentication mode="Forms">
      <forms path="/" name="MyWebSite_Auth" loginUrl="~/login.aspx" defaultUrl="~/customers/Default.aspx" protection="All" slidingExpiration="true" domain=".mydomain.com" timeout="350" cookieless="UseCookies"/>
    </authentication>

Please provide the necessary C# code to accomplish this.

Many thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Why don't you simply delete the domain attribute?

Author

Commented:
The definition of the domain attribute is:
When using cookie-based authentication tickets, this setting specifies the cookie's domain value. The default value is an empty string, which causes the browser to use the domain from which it was issued (such as www.yourdomain.com). In this case, the cookie will not be sent when making requests to subdomains, such as admin.yourdomain.com. If you want the cookie to be passed to all subdomains you need to customize the domain attribute setting it to yourdomain.com.

So what if my QA and Staging environments are in a subdomain, such as qa.mydomain.com, staging.mydomain.com?
The browser creates the cookie for the domain that issued the cookie.

If the domain is "qa" then the cookie was created for "qa". If it is "prod" it is created for this one.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Author

Commented:
I apologize for the confusion. Here’s my situation: my boss just told me that my development environment will have its own totally different domain and sub-domain, for example, dev.somedomain.net, whereas Production will have mydomain.com, QA will have qa.mydomain.com and Staging will have staging.mydomain.com, so when the site is run in dev, the “domain” attribute needs to be set to “.somedomain.net” and for all other environments the value must be set to “.mydomain.com”, right?
If you put a domain = mydomin.com, then, not qa.mydomain.com or stagging.mydomain.com. The cookie would not be sent to either of them because it is configured only for mydomain.com.

Well, now assuming you change the domain dynamically. If the domain starts with "qa" then you change it qamydomain.com. Same for stggingmydomain. I ask you: Are you not doing the same as if you did not have the domain parameter?

Author

Commented:
Hi, I am sorry I don’t understand what you meant. Can you be more specific?

If I remove the “domain” attribute, will it work for all the different environments as mentioned above?

Is possible to dynamically change the value? If yes, could you please provide the C# code?
What I want to tell you is that if you set the parameter domain = ". Mydomain.com" you are restricting the creation of the cookie to only the root domain. For this reason, qa.mydomain.com and sttaging.mydomain.com could not authenticate because you have not authorized the subdomains of mydomain.com. For this reason, you want to dynamically change the domain parameter.

If you remove that parameter you are achieving what you want without a line of code.

I hope you could  understand me. My English is not like my Spanish. :)



.
If you still have to put the domain, do it as follows after doing FormsAuthentication.SetAuthCookie:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = ".domain.com";
Response.Cookies.Add (cookie);

Open in new window

Author

Commented:
So for Development environment, I need to have:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = "dev.somedomain.net";
Response.Cookies.Add (cookie);

For QA environment, I need to have:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = "qa.mydomain.com";
Response.Cookies.Add (cookie);

For Staging, I need to have:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = "staging.mydomain.com";
Response.Cookies.Add (cookie);

For Production, I need to have:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = "mydomain.com";
Response.Cookies.Add (cookie);

Is this right?
Only this:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (username, true);
cookie.Domain = HttpContext.Current.Request.Url.Host;
Response.Cookies.Add (cookie);

Open in new window


With
HttpContext.Current.Request.Url.Host  you capture the domain.


If I remove the “domain” attribute, will it work for all the different environments as mentioned above?



Yes

Author

Commented:
Ok I will try both solutions tomorrow when I return to work and will let you know.
kaufmedGlanced up at my screen and thought I had coded the Matrix...  Turns out, I just fell asleep on the keyboard.
Most Valuable Expert 2011
Top Expert 2015

Commented:
This kind of environmental configuration is typically handled via config transforms. I would start there.

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/deployment/visual-studio-web-deployment/web-config-transformations

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial