Share Cookie Across Sub Domain In ASP.NET

In this blog, you will learn how to share a cookie across sub-domains in ASP.NET.

Single Sign-On is a common need with applications for organizations. Organizations want to use the same login details across their application. Most of the times, internal applications are hosted on the same domain using Sub-Domains.
 
If we observe the application level, all applications are different for every sub-domain. So, for that, we need to persist the Session or User Identity while accessing the applications.
 
Here are some steps to achieve this in ASP.NET. Below are some of the configuration settings which you need to do in Web.config.
  1. <authentication mode="Forms">  
  2.    <forms loginUrl="~/" name=".ASPXFORMSAUTH" timeout="20" domain=".xxxxxxxx.xxx" path="/" protection="All" enableCrossAppRedirects="true" />  
  3. </authentication>  
Here, you need to specify the parent domain with (.) so that it will get access of all subdomains of the parent domain.
 
Add the above line to all applications which will get hosted on the sub-domain. 
 
Also, add the same Machine Key in all web.config.
  1. <machineKey validationKey="XXXXXXXXXXXXXXXXXXXXXXXXXXX" decryptionKey="XXXXXXXXXXXXXXX" validation="SHA1" decryption="AES" />   
Now, come back to your code.
 
After authentication, create a Cookie with all necessary user details as below.
  1. var json = JsonConvert.SerializeObject(data);  
  2. var ticket = new FormsAuthenticationTicket(1, DateTime.Now,DateTime.Now.AddHours(2), true, json);  
  3. var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));  
  4. cookie.Domain = "XXXXXXXXXX";//This should be parent Domain not Sub Domain. even if there is setting in your Web.Config you need to specify this  
  5. Response.Cookies.Add(cookie);  
Here, your cookie is created. Now, it's time to access the created cookie.
 
In Global.asax, Application_AuthenticateRequest method you can access cookie and set the session. The cookie gets accessed with the below line.
  1. var cookie = context.Request.Cookies[FormsAuthentication.FormsCookieName];  
After getting the cookie, you can set the user data so that we can use it in the application.
  1. if (cookie != null)  
  2. {  
  3.    HttpContext.Current.User = cookie.data;  
  4. }