C
code
Hi,
I have stumbled across an interesting problem regarding forms
authentication over multiple sub domains. The topic has been covered in
various forms online but never really gets a definitive answer as to
why it happens.
I have two separate web apps sat on different sub domains of the same
company realm. eg:
http://auth.company.co.uk
http://work.company.co.uk
The auth domain is a very simple app for handling single sign on across
multiple sub domains. The work domain is an example of a consuming web
app that needs to use the authentication service of auth.
I have configured the work domain to deny all users by forms
authentication, which points to a login form on the auth domain
(http://auth.company.co.uk/login.aspx). When a user hits the work
domain, they are redirected to auth and they can log in.
The problem occurs after the auto redirect, which happens when the
framework determines that the current request is not authenticated. The
query string param 'RedirectUrl' is appended to the login url but it
does not include the absolute path and hence the originating domain.
Once the user authenticates, forms authentication only has
'/<originalrequest>' as the redirect url so tries to redirect within
the auth domain. This page does not exist and an error occurs.
A solution is to set a cookie in every consuming web app that stores
the sub domain value of the previously executing request. The auth web
app can then inspect this sub domain value and include it in the
redirect once a user has logged in. This would work fine but ideally I
want to find a different solution that does not rely on cookies - as in
the mobile forms authentication approach where an authentication ticket
will be appended as a querystring parameter if the mobile device does
not support cookie based redirects.
Any assistance would be greatly appreciated.
Many thanks
I have stumbled across an interesting problem regarding forms
authentication over multiple sub domains. The topic has been covered in
various forms online but never really gets a definitive answer as to
why it happens.
I have two separate web apps sat on different sub domains of the same
company realm. eg:
http://auth.company.co.uk
http://work.company.co.uk
The auth domain is a very simple app for handling single sign on across
multiple sub domains. The work domain is an example of a consuming web
app that needs to use the authentication service of auth.
I have configured the work domain to deny all users by forms
authentication, which points to a login form on the auth domain
(http://auth.company.co.uk/login.aspx). When a user hits the work
domain, they are redirected to auth and they can log in.
The problem occurs after the auto redirect, which happens when the
framework determines that the current request is not authenticated. The
query string param 'RedirectUrl' is appended to the login url but it
does not include the absolute path and hence the originating domain.
Once the user authenticates, forms authentication only has
'/<originalrequest>' as the redirect url so tries to redirect within
the auth domain. This page does not exist and an error occurs.
A solution is to set a cookie in every consuming web app that stores
the sub domain value of the previously executing request. The auth web
app can then inspect this sub domain value and include it in the
redirect once a user has logged in. This would work fine but ideally I
want to find a different solution that does not rely on cookies - as in
the mobile forms authentication approach where an authentication ticket
will be appended as a querystring parameter if the mobile device does
not support cookie based redirects.
Any assistance would be greatly appreciated.
Many thanks