problems with cross domain login (authentication sharing) in asp.net application in IE protected mode

Question

I have a website which runs under two different subdomains, let's call them

foo.mydomain.com and bar.mydomain.com

I'd like to have users share their login session between these two domains. That's why I set this in web.xml

<authentication mode="Forms">
            <forms timeout="50000000" loginUrl="~/Login/Login.aspx?redirect=true" domain="mydomain.com"/>
        </authentication>

Basically this works well, but with exception: IE with protected mode On. In this case the logout does not work anymore. With protected mode off everything works normally.

IIS 7 / ASP.NET 3.5

Answer 1

I think I found the answer by myself, the problem was the following:

Users who were logged in before I set the domain property had a cookie .ASPXAUTH for the domain

www.mydomain.com

now, when a user came with this cookie asp.net didn't recognized him as logged in, but after login he had two .ASPXAUTH cookies set, one for www.mydomain.com and one (the new one) for .mydomain.com. This may confuse ASP.NET and the user does not get logged in correctly.

My solution was to manually delete the old cookie. As this cookie is set as http only that's not possible using JavaScript but I managed it by sending an outdated (set expire date to yesterday) cookie with the same name .ASPXAUTH and the same domain as the old cookie. The latter I reached by just leave the domain property empty (then the cookie automatically receives the current domain which is www.mydomain.com)

A bit of a lengthy story but that's pretty how's it looks to me.

Answer 2

An interesting thing is, that if you have more than one .ASPXAUTH cookie (on same domain that is), you will not be able to see them in Request.Cookies, but the framework is somehow aware of the cookie, and will use the first it finds - so order is also important. The solution regarding overriding the cookie only works, if the cookie has an expiredate - that is my experience.