Forms Authentication Shared Across Websites

Question

I'm developing a mobile-only sub domain website for an existing website. (The main site is www.domain.com and the mobile-only site I'm developing is m.domain.com.)

When a user logs into the main website, I want to redirect them to the mobile-only website if:

They appear to be on a mobile device
They have a particular role

When redirected, they should not have to log in a second time. And so I want to share authentication across websites. The main website uses Forms Authentication.

I am trying to follow the steps described in the article Forms Authentication Across Applications. The main thing is that you must "set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication."

I have done this. However, it's still not working. I can log in or out of either site using the same credentials. But logging in or out of one site does not have any effect on the login status of the other.

The article has this note:

Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.

This does not seem to apply.

Also, I do not specify the domain attribute of the authentication element. It says it's optional, and that the default value will be "".

Can anyone suggestion what else I might try. I just don't know where to go from here.

possible duplicate of Asp.net forms authentication and multiple domains — NightOwl888
@NightOwl888: That's not the same. That question is about two domains that reference the same website. I have two domains that reference different websites. — Jonathan Wood
I don't see anywhere in your question that specifies you are using multiple domains. You only say different websites (which could be on the same subdomain). — NightOwl888
As per my first sentence, it's a "mobile-only subdomain". I can see any possible situation where that would use the exact same domain as the main website. I can give you a hundred reasons why ever having a two websites with the same domain sounds like a bad idea. But it has been ruled out when one is a subdomain of the other. — Jonathan Wood
Ok, then this stands as a duplicate of the above link. The fact that you have 2 different websites and the asker of the question has 1 makes no difference in regards to the answer given. The limiting factor is that of cookies, which is possible to do on multiple subdomains if you follow those instructions. But you definitely need to synchronize the machine keys: blogs.msdn.com/b/vijaysk/archive/2009/05/13/… — NightOwl888

Magnus Karlsson Magnus Karlsson · Accepted Answer · 2015-07-06T23:13:15

This is what is wrong.

Also, I do not specify the domain attribute of the authentication element. It says it's optional, and that the default value will be "".

You should set the domain attribute in the forms element like this(not sure about the dot indicating a subdomain).

<forms domain=".mydomain.com" loginUrl="member_login.aspx" cookieless="UseCookies" />

The CookieDomain property value is set in the configuration file for an ASP.NET application by using the domain attribute of the forms configuration element. The CookieDomain property value determines the Domain that the cookie will be used for.

The documentation from your link states that

You can omit the domain attribute of the forms tag if there is only one Web site on the server.

Which in your case, it is not.

Forms Authentication Shared Across Websites

2 Answers