开发者

Subdomain authentication

I am using the default ASP.NET authentication solution. Now I have subdomains on my server (eg. example.com, blog.example.com, forum.example.com...) The login occurs on example.com, and gives out an authentication cookie. But when I go to forum.example.com I am redirected to login. Is there a configuration settings to making the login work for *.example.com?

It's worth noting that the cookies are issued as "example.com" for the domain. So I changed it to ".example.com" based on some reading开发者_JS百科, and now sub-domain authentication works. Anyone able to explain?


According to RFC 2109, if you do not prefix a dot on the domain, it is invalid and the cookie should be rejected. From RFC 2109

Domain=domain Optional. The Domain attribute specifies the domain for which the cookie is valid. An explicitly specified domain must always start with a dot.

4.3.2  Rejecting Cookies

   To prevent possible security or privacy violations, a user agent
   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.

   * The value for the Domain attribute contains no embedded dots or
     does not start with a dot.
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜