5

I am attempting share authentication across multiple ASP.NET MVC web apps. The apps have different subdomains, e.g. x.example.com, y.example.com. I have generated a machine key and added it to the web.config of the apps. I have added the domain attribute to the forms tag (domain = "example.com").

This seems to work correctly in Chrome. After signing into the first app, I navigate to the second and am not required to log in. However, in Firefox, it seems to break the login. When I click the login button, Firefox seems to quickly reload the login page. I am unable to log in.

What could be causing this behavior? Is there something about the cookie that is written with this domain that Firefox doesn't like?

James Harpe
  • 4,315
  • 8
  • 47
  • 74
  • 1
    Might have something to do with CORS, can you check: https://stackoverflow.com/a/6290385/495455 – Jeremy Thompson Aug 28 '18 at 00:46
  • 1
    Have you tried checking the request in the Network tab of developer tools. There should be a ASP cookie being set, you can check if the auth cookie sent to subdomain x is also being sent to subdomain y. You could also try prefacing the cookie name with a '.' – ste-fu Aug 28 '18 at 12:47

1 Answers1

0

Browsers use the same origin policy to determine whether to send a cookie to a Web site: an HTTP request sent to a host will contain those and only those cookies whose Domain attribute identifies the host itself or the DNS domain to which the host belongs. (The Path and Port attributes are also taken into account.) When setting a cookie, the Web server is allowed to omit the Domain attribute (then the browser sets this attribute to the server’s host name) or to set it to the server’s parent domain. For example, host x.domain1.com may set Domain to .domain1.com but not to .domain2.com. To set cookies Web servers use the Set-Cookie HTTP header; to relay cookies to Web servers browsers use the Cookie header.

Vladimir Shmidt
  • 2,651
  • 1
  • 19
  • 21