Consider this scenario: you have 2 or more ASP.NET websites which use the same SQL database for their “forms” type of authentication. In the real life example I am referring to all these websites are hosted under different sub-domains e.g. www.company.com.au, sales.company.com.au etc. Normally users are asked to provide their login credentials (effectively the same login credentials as this is the same ASP.NET membership database) on both websites.
This is fine in regular situations, however it would be nice to ask the user to login just once and transparently use the same authentication cookie again and again (if it is not yet expired). There might be cases however when this is a requirement, for example when a user logged in to www.company.com.au should be redirected to sales.company.com.au.
Apparently there is an easy solution Microsoft provides for this purpose (I wish I learned about it some years back!). All you need to do is to make sure that the following criteria are met:
- In forms tag the name attribute should be the same across all your websites and path attribute set to “/”
- In machineKey tag encryption keys should be the same across all your websites
- The tricky point: in your forms tag explicitly specify domain name for your authentication cookie, like domain=”.company.com.au”
The points above should be checked in web.config files of all your websites. And that’s it, done. Enjoy.