开发者

Sharing session cookie across two named domains

I have a .net webapplication with the following domains: www.domain.com sub.domain.com files.domain.com

When a user is logged on to domain.com or sub.domain.com, I'd like them to share session state (i.e. be logged into both domains at once). This is possible to do by setting the domain on the session coookie to be ".domain.com". However, my problem is that the domain "files.domain.com" should not have session state due to security issues (开发者_JS百科xss attacks from user-made files hosted on that domain is an issue).

Is it possible in ASP.NET to use the same asp.net session id for these two domains, but not the third one?

Thanks in advance!


Here are a couple of options that come to mind:

#1 - Post your login request to both applications via a client side script. This will enable you to set cookies for both valid domains at the same time. This enables you to avoid the XSS issue that you are concerned about by creating cookies for the specific domains that you want to have your users authenticated on.

#2 - Move your "unsecure" site to a different domain. For example: www.domain-files.com. With that option you could use a shared cookie to manage authentication.


Don't confuse session cookies and forms authentication cookies. ASP.NET Session cannot be shared between applications. As far as the forms authentication cookie is concerned, well it is just a simple cookie and the way cookies work is by setting the domain property.

One way I can think of to achieve this is to define special machineKeys in web.config for the two applications. This way users that authenticated on www.domain.com will be emitted a cookie which will be encrypted with the machinekeys of www.domain.com and because only sub.domain.com has the same keys will be able to decrypt the cookie. The cookie will still be sent to files.domain.com but it won't be able to decrypt it and users won't be authenticated there.


To my mind the question is why can people upload files that may contain XSS attacks? if they can do this they may find ways of causing other problems.

The most likely candidate is on your login page have a javascript function that sends the credentials to the other server. so when someoe logs in to one domain the javascript function logs them in to the other domain at the same time.

I agree with joe.liedtke who says move files.domain.com to another domain and avoid the issue altogether.


Try this: Sharing asp.net authentication on different apps on different sub-domains

As mentioned below, only applications with matching machine keys will be able to authenticate with each other. So, assuming files.domain.com is given a different machine key it will be unable to decrypt the session cookie, and there for have no right to the other domains


Maybe, it would accomplish your task to store a Guid value in the cookie directly using Response.Cookies, then query your database based on that value to get shared authentication information.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜