HELP: FormsAuthentication Cookie with multiple domains

From: Avi Landy (alandy@hotmail.com)
Date: 11/10/02 

From: alandy@hotmail.com (Avi Landy)
Date: 10 Nov 2002 13:37:49 -0800

I'm having this really crazy problem. I made a site,
online.mysite.co.il, to which a user has to log on using
FormsAuthentication. When logging on, the user receives a session (not
persistant) cookie. One of the things a user can do, is Logout, which
removes the cookie. This is all fine.

now, we are integrating this site with a site called www.mysite.co.il,
which has the same interface, menus, look and feel of the online site,
except that thi site doesn't need authentication. Now, one of the
ideas of the integration was, that if i'm logged in on the online
site, i will be able to see that status also on the www site. I had a
problem originaly, that the www site didn't see the cookie. I fixed
that by setting the domain of the formsauthentication cookie to
"mysite.co.il" This allowed the www site to read the cookie. Now,
here's the weird part. As soon as i set the domain of the cookie like
that, i can't logout. FormsAuthentication.SignOut doesn't work,
Cookies.remove doesn't work, I can't change the domain after i create
the cookie, in short the only way to get rid of this cookie is to
close the browser.

Thinking this whole thing is really weird, i did the following on my
personal computer:

I made a web site that contains:
 a page that makes a ticket automatically
 a page that does a logout, after which redirects to a page that says:
Response.Write User.isAuthneticated

if the domain is left alone (to the default value), when i get to the
last page, it says false. as soon as i set the domain of the cookie to
mysite.co.il, the page always says true (and in debug, i see the
cookie)

Does anyone have any ideas?

Thank you,
Avi

Relevant Pages

  • strange Formsauthentication behavior
    ... odd behabivor when using formsauthentication in 2.0. ... string encryptedTicket = FormsAuthentication.Encrypt; ... // cookie as data. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Simple question about cookies
    ... When the clicks on log out link, I set the expiry to past ... shouldn't happen because cookie is expired. ... In short my logout is not ... > Is that what's confusing you? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Re: php logout
    ... > Assuming you are using sessions for your authentication just call ... > session_destroyfunction when the logout button is clicked. ... Most likely you also have a cookie, and then you may want to ... Visit Topic URL to contact author (reg. ...
    (alt.php)
  • BUG: OWA Logout
    ... We have an Exchange service hosted. ... extranet, but does share a similar domain name. ... If they use "Logout" OWA clears not only it's own ... The cookie name for the extranet is very unique and is ...
    (microsoft.public.exchange.clients)
  • Re: Forms Authentication and recycling web.config
    ... formsauthentication 's token is stored in cookie. ... stored in the client user's machine that's why it can remain even afte the ... And the session state are server side resources and by default it stored ...
    (microsoft.public.dotnet.framework.aspnet)