I have several applications and one of them is a central application that manages authentication, and where a LogOn page is imported from as an IFrame to the other applications.

When the userName and password are correct, I create a cookie named userInfo.

Now, in the current app, I want to check if the cookie of userInfo exists. I think I should check it exists in the browser (in client side).

It must be possible, so how can I do it ?

Thanks in advance.

I have several applications and one of them is a central application that manages authentication, and where a LogOn page is imported from as an IFrame to the other applications.

When the userName and password are correct, I create a cookie named userInfo.

Now, in the current app, I want to check if the cookie of userInfo exists. I think I should check it exists in the browser (in client side).

It must be possible, so how can I do it ?

Thanks in advance.

• c#
• javascript
• asp-mvc-3
• cookies
• httpcookie

• Sounds like you are wanting to implement single sign on. Do all the applications live on the same domain or use the same domain if accessed via a sub domain? – Dan Lister Commented Jun 12, 2012 at 13:37
• @DanLister Not all the applications are in the same domain. There must be a way to know it maybe through a url or something... – ParPar Commented Jun 12, 2012 at 14:10
• 2 This sounds like an enormous security risk to me. You do not WANT a cookie from one domain to be readable by any arbitrary other domain. – steve v Commented Jun 12, 2012 at 14:13
• I agree with stephen.vakil. For multiple domain applications, you'll need a central application to manage authentication. Something like ADFS would do the trick. – Dan Lister Commented Jun 12, 2012 at 14:14
• @DanLister That's exactly what I have - a central application that manages authentication. I show the same Login page in the other applications. But I don't know how the current application has a way to know if the userName and password were good. – ParPar Commented Jun 12, 2012 at 14:31

1 Answer 1

Cookies cannot be shared cross domain. If your applications are not hosted on the same domain you have to forget about this. It won't work because browsers (for obvious security reasons) do not send cookies cross domain. There are other ways to implement cross domain single sign on (see the second part of my answer).

Now let's suppose that your applications are on the same domain and you have multiple applications spread over different sub-domains of the root domain:

• login.foo.
• app.foo.
• xxx.foo.

and you want to share authentication between those sub domains. All you have to do is specify set the domain property in your web.config to the root domain:

<authentication mode="Forms">
  <forms
    loginUrl="https://login.foo."
    requireSSL="true"
    protection="All"
    timeout="120"
    domain="foo."
    slidingExpiration="false"
    name="sso" />
</authentication>

The same configuration should be applied to the web.config of all applications. And that's pretty much all you need to do. Once the user is authenticated on one of the sub domains he will automatically be authenticated on the others thanks to the fact that cookies can be shared cross sub domains.

If you want to achieve cross domain single sign on then you will have to take a different approach. You could use the same machine keys between the different applications to encrypt the authentication token. Here are the steps:

1. User navigates to https://foo. and is presented with a Logon screen because he is not authenticated on this domain yet.
2. The user authenticates and an authentication cookie is emitted and valid for the foo. domain.

3. Now the user needs to go to https://bar. and be automatically authenticated on this domain. On some page on https://foo. you could create a form containing the value of the authentication cookie to be posted:

   <form action="https://bar." method="post">
       <input type="hidden" name="token" value="PUT THE VALUE OF THE AUTHENTICATION COOKIE HERE" />
       <button type="submit">Go to bar.</button>
   </form>
   

4. The user submits the authentication cookie to the bar.. The script that receives this form submission reads the authentication token value that was posted and uses the FormsAuthentication.Decrypt method to decrypt the authentication ticket and read the user name. Since both applications on foo. and bar. use the same machine keys, the ticket that was encrypted on foo. will be successfully decrypted by bar.
5. The script at bar. having extracted the authenticated username from the token, it emits a forms authentication cookie valid on bar. using the FormsAuthentication.SetAuthCookie method.
6. The user is now authenticated on bar.

The whole security of this model relies on the fact that SSL is used when POSTing the forms authentication token from foo. to bar. so the token cannot be captured by a man-in-the-middle and that both applications share the same machine keys for encrypting and decrypting those tokens.