ASP.NET Session and Cookies in Multi-tenant application
I'm working on a multi-tenant ASP.NET MVC application.
So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).
However, we will need to use TempData (uses Session) and set authentication cookies.
Our spec:
- A tenant can have multiple urls (tenant1.myapp.com or mycustomdomain.com)
- Authentication cookies should NOT be shared by tenants
- Ideally, a tenant's authentication cookie should be shared by any one of their urls
Is Session domain aware? It seems to be.
Can I set multiple domains on an auth开发者_Go百科entication cookie?
Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I've partitioned the file system, database and cache per tenant).
Thanks
Ben
Is Session domain aware?
By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won't share session.
Can I set multiple domains on an authentication cookie?
No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the domain
attribute to the top level domain in the <forms>
tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.
you may want to look into Session Partitioning.
<configuration>
<system.web>
<sessionState
mode="StateServer"
partitionResolverType=
"IndustryStrengthSessionState.PartitionResolver" />
</system.web>
</configuration>
But I don't believe you can share sessions across domains out of the box. You will likely need to add custom session synchronization, where each domains session is linked by a custom algorithm to the same user/tenant etc.
精彩评论