I've been bitten by some nasty issues today in regards to using a domain cookie as part of my FormsAuthentication operations. In
the app I'm currently working on we need to have single sign-on that spans multiple sub-domains (www.domain.com, store.domain.com, mail.domain.com etc.). That's what a domain cookie is meant for - when you set
the cookie with a Domain value of
the base domain
the cookie stays valid for all sub-domains. I've been testing
the app for quite a while and everything is working great. Finally I get around to checking
the app with Internet Explorer and I start discovering some problems - specifically on my local machine using localhost. It appears that Internet Explorer (all versions) doesn't allow you to specify a domain of localhost, a local IP address or machine name. When you do, Internet Explorer simply ignores
the cookie. In my last post I talked about some generic code I created to basically parse out
the base domain from
the current URL so a domain cookie would automatically used using this code:private void IssueAuthTicket(UserState userState, bool rememberMe)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userState.UserId,
DateTime.Now, DateTime.Now.AddDays(10),
rememberMe, userState.ToString());
string ticketString = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticketString);
cookie.HttpOnly = true;
if (rememberMe)
cookie.Expires = DateTime.Now.AddDays(10);
var domain = Request.Url.GetBaseDomain();
if (domain != Request.Url.DnsSafeHost)
cookie.Domain = domain;
HttpContext.Response.Cookies.Add(cookie);
}
This code works fine on all browsers but Internet Explorer both locally and on full domains. And it also works fine for Internet Explorer with actual 'real' domains. However, this code fails silently for IE when
the domain is localhost or any other local address. In that case Internet Explorer simply refuses to accept
the cookie and fails to log in.
Argh!
The end result is that
the solution above trying to automatically parse
the base domain won't work as local addresses end up failing.
Configuration Setting
Given this screwed up state of affairs,
the best solution to handle this is a configuration setting. Forms Authentication actually has a domain key that can be set for FormsAuthentication so that's natural choice for
the storing
the domain name: <authentication mode="Forms">
<forms loginUrl="~/Account/Login"
name="gnc"
domain="mydomain.com"
slidingExpiration="true"
timeout="30"
xdt:Transform="Replace"/>
</authentication>
Although I'm not actually letting FormsAuth set my cookie directly I can still access
the domain name from
the static FormsAuthentication.CookieDomain property, by changing
the domain assignment code to:if (!string.IsNullOrEmpty(FormsAuthentication.CookieDomain))
cookie.Domain = FormsAuthentication.CookieDomain;
The key is to only set
the domain when actually running on a full authority, and leaving
the domain key blank on
the local machine to avoid
the local address debacle.
Note if you want to see this fail with IE, set
the domain to domain="localhost" and watch in Fiddler what happens.
Logging Out
When specifying a domain key for a login it's also vitally important that that same domain key is used when logging out. Forms Authentication will do this automatically for you when
the domain is set and you use FormsAuthentication.SignOut().
If you use an explicit Cookie to manage your logins or other persistant value, make sure that when you log out you also specify
the domain. IOW,
the expiring cookie you set for a 'logout' should match
the same settings - name, path, domain - as
the cookie you used to set
the value.HttpCookie cookie = new HttpCookie("gne", "");
cookie.Expires = DateTime.Now.AddDays(-5);
// make sure we use
the same logic to release cookie
var domain = Request.Url.GetBaseDomain();
if (domain != Request.Url.DnsSafeHost)
cookie.Domain = domain;
HttpContext.Response.Cookies.Add(cookie);
I managed to get my code to do what I needed it to, but man I'm getting so sick and tired of fixing IE only bugs. I spent most of
the day today fixing a number of small IE layout bugs along with this issue which took a bit of time to trace down.© Rick Strahl, West
Wind Technologies, 2005-2012Posted in ASP.NET
Tweet
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/plusone.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
