I want to create a cookie based authentication functionality.
There are two web applications and login details are same for both applications. When user logged in to the application A(client application) it will send a web request(HttpWebRequest) to application B(my API). This request will contain encrypted
login details. Then application B will do the authentication and update application A. (B create auth cookie and send it to A )
So at the moment user is still at application A.
And there are multiple operation in application A which will redirect user to application B. If this happen user must automatically logged in to application B. In these redirection login credentials are not provided.
Below is the web request on application B
var http = (HttpWebRequest)WebRequest.Create(new Uri(baseAddress));
http.Method = "POST";
CookieContainer cookieContainer = new CookieContainer();
http.CookieContainer = cookieContainer;
//include the post data
var response = (HttpWebResponse)http.GetResponse();
foreach (Cookie cook in response.Cookies)
{
Response.Cookies.Add(new System.Web.HttpCookie(cook.Name, cook.Value)
{
Domain = cook.Domain,
Expires = cook.Expires
});
}
So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)
In this case cookie is create on my domain. But I want to store custom domain cookie on the browse. So next time user redirect to custom domain, user will be automatically logged in.
So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)
For security issues, this kind of option is forbidden. Which you can refer to Same-origin Policy.
As illustrated in your other similar thread, this approach will not work. Application A must pass information to Application B via an HTTP GET (or POST). Application B verifies the HTTP GET information, usually by making a request to Application A. If
the information is valid then Application B returns an auth cookie to the browser.
Member
3 Points
17 Posts
Multi domain cookie based authentication
Aug 16, 2019 05:24 AM|NewUser2017|LINK
I want to create a cookie based authentication functionality.
There are two web applications and login details are same for both applications. When user logged in to the application A(client application) it will send a web request(HttpWebRequest) to application B(my API). This request will contain encrypted login details. Then application B will do the authentication and update application A. (B create auth cookie and send it to A )
So at the moment user is still at application A.
And there are multiple operation in application A which will redirect user to application B. If this happen user must automatically logged in to application B. In these redirection login credentials are not provided.
Below is the web request on application B
var http = (HttpWebRequest)WebRequest.Create(new Uri(baseAddress)); http.Method = "POST"; CookieContainer cookieContainer = new CookieContainer(); http.CookieContainer = cookieContainer; //include the post data var response = (HttpWebResponse)http.GetResponse(); foreach (Cookie cook in response.Cookies) { Response.Cookies.Add(new System.Web.HttpCookie(cook.Name, cook.Value) { Domain = cook.Domain, Expires = cook.Expires }); }So now the question is since application A and B are in two different domains cookies cannot be shard. Is there any way to allow cross-domain cookies in IIS server. (Both applications will be hosted in IIS)
Participant
850 Points
492 Posts
Re: Multi domain cookie based authentication
Aug 16, 2019 06:09 AM|AddWeb Solution|LINK
Hello, NewUser2017
How to share session state across Domains & subdomains and multidomain.
void context_PostRequestHandlerExecute(object sender, EventArgs e) { HttpApplication context = (HttpApplication)sender; HttpCookie cookie = context.Response.Cookies["ASP.NET_SessionId"]; if (context.Session != null && !string.IsNullOrEmpty(context.Session.SessionID)) { cookie.Value = context.Session.SessionID; if (rootDomain != "localhost") { cookie.Domain = rootDomain; } cookie.Path = "/"; } }Please refer below link :
https://support.microsoft.com/en-ae/help/2527105/how-to-share-session-state-across-subdomains
Thanks.
Member
3 Points
17 Posts
Re: Multi domain cookie based authentication
Aug 16, 2019 06:40 AM|NewUser2017|LINK
Thanks for the response.
In this case cookie is create on my domain. But I want to store custom domain cookie on the browse. So next time user redirect to custom domain, user will be automatically logged in.
Contributor
3140 Points
983 Posts
Re: Multi domain cookie based authentication
Aug 16, 2019 08:50 AM|Yang Shen|LINK
Hi NewUser2017,
For security issues, this kind of option is forbidden. Which you can refer to Same-origin Policy.
And for hwow cookie work, please refer to:How cookie work.
For your case, i suggest you can use SSO according to your description.
Best Regard,
Yang Shen
Participant
850 Points
492 Posts
Re: Multi domain cookie based authentication
Aug 16, 2019 09:26 AM|AddWeb Solution|LINK
Hello, NewUser2017
Well, if you want to store custom cookie after close browser, then we use FormsAuthentication to set it.
Kindly please refer below link how to store cookies in browser.
https://stackoverflow.com/questions/14922822/using-cookies-to-auto-login-a-user-in-asp-net-custom-login
Thanks.
All-Star
53091 Points
23659 Posts
Re: Multi domain cookie based authentication
Aug 16, 2019 12:55 PM|mgebhard|LINK
This is a duplicate post.
https://forums.asp.net/p/2158782/6274439.aspx?Re+Single+sign+on+using+custom+API
As illustrated in your other similar thread, this approach will not work. Application A must pass information to Application B via an HTTP GET (or POST). Application B verifies the HTTP GET information, usually by making a request to Application A. If the information is valid then Application B returns an auth cookie to the browser.