Forms authentication issue in ASP.NET

Assuming both sites share the same membership database then you can set the cookie domain in the forms authentication section of web.config;

<authentication mode="Forms">
    <forms .... domain="mycorp.com"/>
</authentication>

Note that you'll also have to setup matching machine keys in the web.config as these are used to sign the authentication cookie.

There is an example on MSDN.

This link give some details http://docs.communityserver.com/2007/270-common-things-to-check-when-using-forms-authentication/

Basically you need to add the domain attribute in the <forms/> tag within the <authentication> tag of the web.config file.

e.g.

<authentication mode="Forms">
<forms name=".CookieName" ... domain=".mydomain.com" />
</authentication>

Set the domain attribute to .mycorp.com in the form tag in the web.config

I would suggest the way Stack Overflow, Microsoft, Facebook, Google Accounts do, and that is even more efficient because every website can be on any different machines.

Assume, you have AuthSite. This is the one site where you have to login, and has membership information.

And you have SiteA, SiteB, and SiteC on different servers.

On login page of SiteA you have to setup a form post with a secret on AuthSite.

If you had previously logged successfully on AuthSite, it will just redirect back to SiteA with successful secret in the form of a hidden Form Post in the browser, that you have to verify in SiteA.

This model is highly extensible and scalable. Because maintanence in the long run is easy.

Code on LoginPage of SiteA, SiteB and SiteC follows.

Login.aspx on SiteA, SiteB, and SiteC:

private void Page_Load(object sender, EventArg e){
   // Simply redirect back to AuthSite...
   // Change Site parameter accordingly.
   Response.Redirect("http://authsite/Login.aspx?Site=SiteA");
}

Login.aspx on AuthSite:

// Define one hidden field named "ReturnSite".

private void Page_Load(object sender, EventArg e){

   if(IsPostBack)
       return;
   string site = Request.QueryString["Site"];
   if(Request.User.IsAuthenticated){
       string secrete = CreateSomeSecrete(site);
       Response.Redirect("http://" + site + 
           "/AuthConfirm.aspx?Token=" + secrete + 
           "&User=" + Request.User.Identity.Name);
       return;
   }

   ReturnSite.value = site;
   // Do usual login...
}

private void LoginButton_Click(object sender, EventArg e){
   string secrete = CreateSomeSecrete(ReturnSite.value);
   FormAuthentication.SetAuthCookie(username,true);
   // You can retrive username later by calling 
   // Request.User.Identity.Name.
   Response.Redirect("http://" + ReturnSite.value + 
      "/AuthConfirm.aspx?Token=" + secrete + "&User=" + username);
}

AuthConfirm.aspx on SiteA, SiteB, and SiteC:

private void Page_Load(object sender, EventArg e){
   string secrete = Request.QueryString["Token"];
   // Verify that secret came only from AuthSite.
   if(VerifySecrete(secrete)){
       // This sets authentication cookie for Current Site
       FormsAuthentication.SetAuthCookie(Request.QueryString["User"], true);
   }
}

Now let's see a different scenario.

Same User, First time login

1. The first user, John, visiting SiteA (not yet logged in) gets redirected to AuthSite.
2. AuthSite checks and finds out that user does not have an authentication cookie, so actual credentials are asked.
3. AuthSite sets token on itself and passes secret to AuthConfirm page on SiteA. SiteA verifies the token and sets the authentication cookie and lets user to visit secure pages.

Same User, First time on SiteB

1. User John is successfully logged into SiteA using AuthSite, now tries to visit SiteB.
2. SiteB finds the user is not logged in so it is directed to AuthSite.
3. AuthSite finds that the user already has a cookie for AuthSite website.
4. AuthSite redirects user back to SiteB with the authentication secret.
5. SiteB verifies the secret and lets John continue to visit secure pages.