ASP .NET Cross Site Forms Authentication works in Dev but not production

I have two MVC3 sites, both hosted on the same server that I've configured to use the same authentication cookies.

The first site is an intranet site using Windows authentication. This site has one simple Action that checks to see if the user was authenticated, if the user has been, it creates a FormsAuthentication cookie that it adds to the response. This cookie is created for a generic user that I determine from the User's AD groups. The response then redirects the user to a second site that uses Forms Authentication.

When I run this on my local machine, everything works as described above. When I deploy this to our local web server, it doesn't. I've tested to see if the user's group is correctly determined and that it creates a valid user for the cookie, and I have verified that this is correct on the web server.

Here is how I'm doing all of the above:

First, I made both sites use the same s开发者_JS百科ame Machine Key for encryption and decryption.

When I create the cookie in Site1, I ensure that it has the same name and Domain as the cookies created on Site2.

     var cookie = FormsAuthentication.GetAuthCookie(userName, false);
     cookie.Domain = FormsAuthentication.CookieDomain; //This is the Domain of my 2nd site as they are different

     HttpContext.Response.Cookies.Add(cookie); //Add my cookie to the response
     HttpContext.Response.RedirectPermanent(urlForSite2);

Again, when I run this on my local machine it works without a problem. But when deployed, it's either not passing the cookie in the request, or the response is ignoring it, but I'm not sure how to verify either of these cases.

Feel free to ask any question regarding more details as to how I'm doing this if it will help in getting an answer I need.

Cross domain cookies are not allowed. If you have two separate domains; one cannot access the others cookies. Two separate virtual directories/applications will work when using the same machine key. http://blogs.technet.com/b/sandy9182/archive/2007/05/07/sharing-forms-cookie-between-asp-net-web-application.aspx

If you want to share login cookies between sub-domains you need to edit the Domain property of the login cookie to the 2nd level domain "abc.com" so that "www.abc.com" and "ww2.abc.com" will have access to the cookie. http://forums.asp.net/t/1533660.aspx

String usrName = User.Identity.Name.ToString();
HttpCookie authCookie = Security.FormsAuthentication.GetAuthCookie(usrName, false);
authCookie.Domain = "abc.com";
Response.AppendCookie(authCookie);

Actually, it is possible, but isn't as simple as the domain/sub-domain cookie sharing.

http://www.codeproject.com/KB/aspnet/CrossDomainSSOModel.aspx

While the example given in this article didn't apply directly to what I was doing, I could use some of the ideas expressed there to get what I needed working. It ended up being my configuration settings in site2 web.config.

My URLs are as follows

• Site1 = http://site.stage
• Site2 = http://site.stage.MyCompanyName.com

Site 1 requires a host entry addressing it to a specific IP address of the hosting machine. It's also an entry in my IE Security settings - Local Intranet Sites.

I should note that these applications are both virtual directories running under the same default website.

I thought I had solved my problem but setting the Domain in the config file to and empty string, but this didn't work. I'm not sure what can be done now. This still works when I run it on my local machine, but not when I run it on my server. The only difference is the urls.

My dev machine is using the urls

• Site 1: http://localhost/CompanyName.TVAP.IntranetSite
• Site 2: http://localhost/TVAPDev/

I hope this adds some clarification. This Answer should really be posted as an edit to my question, but when I originally posted it, I thought I had it working.

UPDATE: I think my answer is in my URLs above. My dev machine URLS both are using the same domain name, which in this case is localhost. I think if I alter my deployed websites to use the same domain, I will be OK. I'll post an update when I get it worked out.