Niraj Bhatt – Architect's Blog

Ruminations on .NET, Architecture & Design

Single Sign On via Cookie Sharing for Sub Domains using ASP.NET

ASP.NET supports Forms Based Authentication (FBA). FBA mandates that user logging to the site must have an .ASPXAUTH cookie. If the cookie stored on your computer is persistent it would bypass the login screen next time to access the site. This happens because every time you send a request out to a site, all the cookies stored for their site on your computer travel along with the corresponding HTTP request. Now this holds true not only for site per se, but also holds for any sub domains of that site. For e.g. if you have a persistent cookie stored for, the authentication cookie would not only be send to, but also and

So the question comes how do set the domain name for an authentication cookie in ASP.NET? Pretty simple, use GetAuthCookie method of FormsAuthentication class.

HttpCookie httpCookie = FormsAuthentication.GetAuthCookie( “someuser”, true ); //Persistent Cookie
httpCookie.Domain = “”; // Set the domain
HttpContext.Current.Response.Cookies.Add( httpCookie ); // add the auth cookie to response
Response.Redirect( FormsAuthentication.GetRedirectUrl( “someuser”, true ) );

Note the second parameter passed to GetAuthCookie – ‘true’. This would create a persistent cookie. This cookie would be send to the sites in the same domain and so would bypass the login screen. Also it’s the machinekey which is used to generate (encrypt / decrypt) the authentication cookie. Hence, you need to ensure that machineKey is same for all the applications which are part of your SSO solution as shown below:

<machineKey validationKey=”64Bytes” decryptionKey=”24Bytes” decryption=”3DES” validation=”SHA1″/>

You can find more details about how to generate these keys with differences between decryptionKey (used for authentication ticket) and validationKey (used for viewstate) here.

Finally the GetAuthCookie code won’t work if the machine name where you are running the application and the domain name used don’t match. To do the same you might have to edit your ‘C:\Windows\System32\drivers\etc\hosts’ file and provide an alias. And that’s it. You are all set with your SSO solution.

2 responses to “Single Sign On via Cookie Sharing for Sub Domains using ASP.NET

  1. Pingback: SharePoint 2010: Posibilidades de Single Sign On desde aplicaciones ASP.NET! - Blog del CIIN

  2. Nitish Kumar December 3, 2013 at 6:18 pm

    I also have similar problem. Can u please post the remaing part to make this single sign on work, i.e what needs to be done at the subdomain.
    My situation is i have an web application for various users. I have a separate wordpress blog running on the same server as sub domain. Now when the user logs in the web application and then goes to blog page from the home page he should be already logged in.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: