Forms authentication - different domain for login

[JDC]

Hi all,

I have an ASP.NET application for which I'd like the "login" page to
be secure. The problem I have is that while my hosting company gives
me a "secure" option, secure pages appear under a different domain.

For example; my application is hosted here:
http://www.example.com/myapp/

But pages uploaded to the "secure" folder appear here:
https://somesecureserver.com/example/

I don't want to put the whole application in the secure folder, so is
it possible to have a login page at https://somesecureserver.com/
login.aspx that authenticates the user for my application at http://
www.example.com/myapp/ ...?

Thanks in advance,

JDC

 

[bruce barker]

to share a login cookie, your site domains must have a common root with
at least one dot. otherwise you can use url encoding (cookieless sessions).

-- bruce (sqlwork.com)

 

[GroupReader]

You *can* share authentication information between servers (like in a
server farm situation)... but you probably won't be able to do it in
the web-hosting situation you described. You would need full access
to both servers to make sure the authentication and encription details
are the same on both servers (in machine.config). Also, I guess this
only works for similar domains like Bruce stated above.

Another note: I seem to recall an article about "typical security
pitfalls." If you secure your login page, but do not secure the rest
of your application, it makes it really easy for a hacker to gain
access to your authentication cookie which is passed with every
request. The hacker gets the cookie from one on the non-secured
pages, then can resend that same cookie to any of your secured pages.
Something like that. I'm no expert.