Issues passing cookies between apps on same box

[Andy]

Hi,
I'm having issues with what I'm *sure* is a simple problem.

Basically having a problem passing a cookie between two sites.
On Site A you sign in, and create a cookie with the users ID in it
When the user wants to purchase anything (and enter CC details) we want to
pass the user to the secure site, which is on the same server.
Alas the cookie is not being picked up on the secure site.

a) Both sites are on the same box
b) Works on my development pc, but not on the DEV box (that old chestnut!)
c) The secure site isn't https - we only have the certificate on the
production site, so this isn't an https issue
d) ASP.NET 1.1 (yes, I know...) moving soon
e) After a bit of googling I've added a machnekey section (below) to
web.config, but this hasn;t changed anything - still the same issue.

<machineKey
validationKey="F6EF6C186BDB1A9630BB84301322B022D4249CFF98407D3D67284AE441B4309F06B5A1B9D7DC37E645783CFB7DC2C79CC297812BB968B9816EF08DFBD0D98D77"
decryptionKey="AAAD8D2655F03CC1EDE43DEF9D8BFBD436773295D0D78C9C"
validation="SHA1" />

If anyone has any ideas it'd be most appreciated.

I take it cookies is the way to go here? We're using forms authentication. I
do not want to pass anything in a query string!

Thanks

 

[Scott Roberts]

I'm having issues with what I'm *sure* is a simple problem.

The problem is simple. The solution, maybe not.

Basically having a problem passing a cookie between two sites.
On Site A you sign in, and create a cookie with the users ID in it
When the user wants to purchase anything (and enter CC details) we want to
pass the user to the secure site, which is on the same server.
Alas the cookie is not being picked up on the secure site.

This is by design. A browser does not (and should not) give cookies from one
site to a completely different site. For example, you wouldn't want the
cookie generated by your site to be passed to, say, Google, would you?

a) Both sites are on the same box

Doesn't matter. One box can host hundreds of sites, that doesn't mean they
should share information.

b) Works on my development pc, but not on the DEV box (that old chestnut!)

That's probably because they are not really different sites on your
development pc. I bet when you run everything on your development pc that
all URLs start with http://localhost, right? If so, the browser thinks they
are all the same site. When you put it on the "DEV" box I bet the URLs are
different (e.g. http://www.mysite.com and http://secure.mysite.com or
something like that), right?

c) The secure site isn't https - we only have the certificate on the
production site, so this isn't an https issue

Right on.

d) ASP.NET 1.1 (yes, I know...) moving soon

Doesn't matter.

e) After a bit of googling I've added a machnekey section (below) to
web.config, but this hasn;t changed anything - still the same issue.

<machineKey
validationKey="F6EF6C186BDB1A9630BB84301322B022D4249CFF98407D3D67284AE441B4309F06B5A1B9D7DC37E645783CFB7DC2C79CC297812BB968B9816EF08DFBD0D98D77"
decryptionKey="AAAD8D2655F03CC1EDE43DEF9D8BFBD436773295D0D78C9C"
validation="SHA1" />

You'll still need that bit of info once you get the cookie situation worked
out.

If anyone has any ideas it'd be most appreciated.

Assuming that your problem is domain-related, this article might help:

http://brennan.offwhite.net/blog/2006/09/25/multiple-site-authentication-with-aspnet-20/

I take it cookies is the way to go here? We're using forms authentication.
I
do not want to pass anything in a query string!

I agree.

 

[Andy]

Hi Scott,

Many thanks for the reply
very helpful, especially the link.
http://brennan.offwhite.net/blog/2006/09/25/multiple-site-authentication-with-aspnet-20/

Alas that deals with asp.net 2.0. I'm still stuck with asp.net 1.1 until
January.
Needless to say I haven't got until Jan to fix, so I'm still looking.

Cheers

 

[Scott Roberts]

Hmmm, you did say that you were using 1.1. But then I was under the
impression that you were using the MS aspnet membership stuff, which comes
with 2.0, so I'm a little confused.

Regardless, I think your problem is just a cookie/domain problem. So try
manipulating that and see what you get.

Here's a sample that appears to be using 1.1:

http://groups.google.com.hk/group/m...read/thread/88d603eedd030a57/11968cc384577926

Scott