Sharing Session Cookie Across Two Named Domains?

Jan 19, 2011

I have a .net webapplication with the following domains:

www.domain.com
sub.domain.com
files.domain.com

When a user is logged on to domain.com or sub.domain.com, I'd like them to share session state (i.e. be logged into both domains at once). This is possible to do by setting the domain on the session coookie to be ".domain.com". However, my problem is that the domain "files.domain.com" should not have session state due to security issues (xss attacks from user-made files hosted on that domain is an issue).

Is it possible in ASP.NET to use the same asp.net session id for these two domains, but not the third one?

View 5 Replies


Similar Messages:

Subdomain - Sharing Session Data Between Domains In Asp

Jun 3, 2010

i want to maintain session data between two applications or domains [URL]. I have read on net about this, but many people pointing many different ways to do it, with people commenting +ve and -ve responses to all. Plus many are just providing theoretical answer, do this and that ,but no code at all. are these steps all that is required?

1) in web.config: <httpCookies domain=".[URL]"/>

2) store session data in sql DB as:(after preparing the db for storing sessions)

<sessionState mode="SQLServer" sqlConnectionString="Data Source=YourServer;
Integrated Security=True;database=MySessionDB" sqlCommandTimeout="30"
allowCustomSqlDatabase="true"/>
<machineKey decryption="AES" validation="SHA1" decryptionKey="..." validationKey="..." />

3)Am confused about this one: i want to set the domain for the session cookie like this

Response.Cookies["ASP.NET_SessionId"].Domain = ".[URL]";
But where should this code be written?
this entry: [URL]says: use System.Web.SessionState.SessionIDManager as a base class but the SaveSessionID method is not virtual so cannot be overridden. Options are: either explicitly re-implement the interface method or decorate SessionIDManager class and after calling SessionIDManager.SaveSessionID set Response.Cookies[SessionIdCookieName].Domain to our domain.

Only if the author had provided real code, step 3 would have been clear. Plus all this 3 steps enough to share session among the domains?

View 1 Replies

Setting Cookie Expiration With ASP Classic To Session Sharing Solution

Jun 25, 2010

I'm implementing the session sharing structure from this link for an ASP classic site to begin the gradual conversion process to ASP.NET. I'm trying to extend the cookie expiration time so that users do not get signed out of the site when the session expires. At the place where the cookie is created in SessionPage.cs I've added the line in the CreateNewSessionCookie() method: cookie.Expires = DateTime.Now.AddDays(14);

Now this works fine, however, it only works if the user first visits an ASP.NET page, and then visits the ASP classic pages. It doesn't work if visiting an ASP classic page first (looking at the cookie through firefox confirms that different expiration values are given based on if I visit an ASP or ASP.NET page first.) I'm still a bit fuzzy on the mechanics behind this implementation as I don't have a complete understanding of session and cookie handling. However, I would have thought that the VB6 SessionMgr object is calling the SessionUtility DLL, and thus is using the same code to issue the cookie. I have re-registered the SessionUtility using gacutil, and re-exposed it using regasm. How else is the cookie being issued when a user accesses an ASP classic page? How can I change the expiration time?

View 1 Replies

Sharing Authentication On Different Apps On Different Sub - Domains

Jan 19, 2011

I have 2 applications. One on asp.net webforms [URL] which should provide authentication, user logs in and I can use the cookie to authenticate on my asp.net mvc app located at [URL]. All I'd like to do is able to access the cookie so I can get the userId that was stored in it using the FormsAuthentication.

They use normal authentication provided by microsoft;

<authentication mode="Forms">
<forms domain="test.com" loginUrl="Default.aspx" protection="All" path="/" requireSSL="false" timeout="45" name=".ASPXAUTH" slidingExpiration="true" defaultUrl="Default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
</authentication>

This cookie should be accessible to any submain on [URL] right?

View 2 Replies

Sharing Cookies Across Different Domains And Different Applications?

Jan 24, 2011

Is there a way to share cookies across different domains and different applications (classic ASP and ASP.NET)

View 4 Replies

Security :: How To Implement Form Authentication Using Cookie Shared By Mulitple Domains

Feb 18, 2011

My requirement is multiple domains (not subdomains) share cookie of form authentication

how to implement same?

View 2 Replies

State Management :: Sharing Cookie Between Two Webapps On Localhost?

May 17, 2010

If I want to share cookies among applications, applications need to be in the same domain. In production it is no problem. But I have problem with development. If I run those applications in Visual Studio, it runs application in "localhost" and it is not same domain. I don`t see cookies among applications.

View 1 Replies

State Management :: Carrying Session ID Across Domains?

Dec 29, 2010

We use an agent to monitor user activity on our site. It manages a user session together by matching the asp.net session ID.

If we were to launch a separate checkout site on a new domain, would we be able to force carry the current Session ID from the standard non SSL site to the new session on the checkout site - this way our agent would match the session together, as we require?

View 4 Replies

State Management :: Session Gets Lost When Set Session Response.cookie

Jan 25, 2011

I need to make my asp.net session cookie as secure but whenever i check user authentication and after that i am trying to set cookie to true then my session lost my user information and so it always redirect login page. I am settings user to HttpContext.Current.Session["user"] and check every time, is user is valid and if valid then move ahead. but before that i make my asp.net session cookie as true.

[Code]....

but after that i observe that somehow "Session_Start" event gets called.

View 1 Replies

Security :: Persisting Session State Across Sub-domains (different Apps)

Jun 17, 2010

got [URL] - two separate apps in IIS.

Want the forms based auth to persist (they use the same database for membership)

I tried to simply add a "." before the domain name in the forms tags (see below for example) - but this didn't work - it acutally prevented me from logging in at all. how i can persist the login? Does the admin need the same values for "name", "path" and "domain" as the main site?

[code]....

View 1 Replies

Web Forms :: Preserve The Session Object While Redirecting Between Domains?

Oct 16, 2010

In my app. I redirect user from one domain to another and I need to preserve the session object while redirecting between domains.

I need to be able to read session key/value that is created under different domain, for example -

While in domain A.com:

create session variable - session("myASPString") = "Test string"

redirecting to domain B.com

While in domain B.com:

dim k as string = session("myASPString")

right now k = Nothing...

How can I preserve the session object between different domains ?

View 1 Replies

Mix Cookieless With Cookie Session Stored Session Data?

Mar 19, 2011

Is it possible to use mixed cookieless sessions with cookie sessions? I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible? [URL] redirects to [URL] Note: the session Id in the latter url. So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session.

View 1 Replies

How To Stop IE8 Session Sharing

May 2, 2010

I'd like to stop IE8 from sharing my sessions in one of two ways (or both if possible):

Through configuring the browser to always do this (so I can force my users to configure their browsers in this way). Through code in my web application.

View 1 Replies

Sharing Session Between Webservice And Application

Apr 23, 2010

I have an asp.net application and webservices (asmx) that reside in the same application but not in the same folder of the aspx files. I aslo have a winform application that uses the webservices. I have marked the webservice methods with [WebMethod(EnableSession = true)] but I am not able to share the same session values that are on the application in the webservices. The winform application has access to the sessionID from the application and I am using the following code

Uri uri = new Uri(ServerServiceUrl);
_cookieContainer = new CookieContainer();
_cookieContainer.Add(new Cookie("ASP.NET_SessionId", SessionID, "/", uri.Host));

My question is: Is there something that I am missing or doing wrong that I cannot access the application sessioin from the webservices?

View 2 Replies

State Management :: Session Sharing Between Two Websites?

Aug 13, 2010

I have a website A which has a link to website B which is currently opening in a different window. When clicked on a link to, the login for B is automatically taken care of as both the websites have same user login credentials.

Now a change in the system has made me embed website B into website A. ie., B will open in the same window of A.. I could achieve this using an IFrame. Now, the session from site A needs to be carried out to site B. Presently, when navigated from A to B, all the sessions on A expire. Once navigated to B the session time out of B from the webconfig is taken. I have used "InProc" as my state management option in web config. Is it possible to maintain single session for both the webistes? If not how to continue same session times for both webistes? I do not want to use "SQL server" state mode.

View 4 Replies

State Management :: Sharing Session Between Applications?

Oct 18, 2010

I would like to share the session variables between 2 applications. basically I have a website and in there I have 2 applications and want to share the session object betwen the two. Is there a way to set something in web.config to enable this?

View 2 Replies

State Management :: Sharing Session Information Across Sites?

Feb 3, 2011

After doing some research, I found that <sessionState> can be hosted in SQL Server allowing applications to read from the same source. Essentially my app has two sides: a WCF library and an ASP.NET MVC 3 web site, the WCF has authentication and other DB IO methods and the MVC does the display. Now, the MVC stores a value in the session and then the WCF reads it and creates another for the MVC to read later. Problem is, neither can read each others session data, they can write to the same repository but can't share.

How do I go about them sharing the same information? How can I tell <sessionState> that the session started on the MVC side is the same as the WCF side and viceversa? I've tried

View 6 Replies

How To Prevent Multiple Browser Windows From Sharing The Same Session?

Mar 25, 2010

I have ASP.net application that is basically a data entry screen for a physical inspection process. The users want to be able to have multiple browser windows open and enter data from multiple inspections concurrently. At first I was using cookie based sessions, and obviously this blew up.I switched to using cookie-less sessions, which stores the session in the URL and in testing this seemed to resolve the problem. Each browser window/tab had a different session ID, and data entered in one did not clobber data entered in the other.

However my users are more efficient at breaking things than I expected and it seems that they're still managing to get the same session between browsers sometimes. I think that they're copying/pasting the address from one tab to the other in order to open the application, but I haven't been able to verify this yet (they're at another location so I can't easily ask them).Other than telling them don't copy and paste, or convince them to only enter one at a time, how can I prevent this situation from occurring?

View 5 Replies

State Management :: Session Sharing With Virtual Folders

Jul 14, 2010

i have two solutions, 1. user management and 2. travel management. i publish the user management solution to [URL] and i publish the travel management to [URL] here i face the problem. the default home page would be [URL], its a windows authentication in page load, i capture the username, pass it to procedure which will fetch me his credentials on access. i store these in a session.

in the home page i have link to navigate to travel page, when i try to access the sessions in travel page, its empty. i tried printing the session id in both user management and travel, both are same but the sessions created in user management are empty in travel. what would be problem here and how can i resolve this.

View 2 Replies

Sharing Session Variables From Http And Https Versio?

Mar 22, 2010

I am trying to fix an ASP.NET site that a friend had botched converting from older technologies. To the user, the site appears to have public and secured sections. Behind the scenes, the public and private sites are separate web applications with separate app pools. The difficulty arises because it appears that the applications share the same session IDs (when going from the public to the secured pages, the session ID remains the same), yet none of the (InProc) session variables are getting passed from the public site to the private one. Basically, the workflow consists of the user checking a checkbox ("I agree" type of stuff) on the public site (let's call that page http://www.boring.gov/iAgree.aspx), then logging in on the secured site (let's call that page https://www.boring.gov/login.aspx). The commandments from the parent agency in DC are that the user may not bookmark the login page, the user has to click "I agree" every time they log in, and that the "I agree" stuff has to be on a separate page. What am I missing? How would you do it? Notes:dows 2003 server.2 - Yes, it is a government agency.3 - I would have done things very differently if I was doing the conversion, but I wasn't brought in until the poop hit the fan, and it is too late to redo things.4 - Two previous SO threads that appear to be related, yet don't apply are this and that

View 4 Replies

State Management :: How To Disable Session Sharing Among Different Applications With Same Domain

Jul 14, 2010

I have 2 applications App1 and App2 on same domain, both with Forms authentication, each using a different database instance for authentication.

First, I open a browser with application www.mydomain.com/App1 and log on.

After that, when I open another instance of the same browser with application www.mydomain.com/App2 and log on, first browser loses session and goes back to login page.

I need each application on same domain to have its own session so that both can stay logged on.

View 2 Replies

State Management :: Sharing The Session Variables Between Two .net Applications Using SQL Server Mode?

Sep 18, 2010

I have two different IIS applications within the same domain(let us say www.mydomain.com) , both of these applications use the same database instance(same connectionstring), now what I want is that both of applications can see each sessions variables , can SQL Server session state mode helps in this case? Did someone try that before? Is there any other way to share the session variables?

View 3 Replies

Web Forms :: Prevent Multiple Browser Windows Or Tabs From Sharing Same Session

Mar 6, 2013

Preventing user to open duplicate web application,while it is running .....

View 1 Replies

MVC :: How To Use Session And Cookie

Sep 27, 2010

in asp.net mvc, how to use session and cookie ?

I am trying to understand how a login session stored and implemented.

View 1 Replies

Set Cookie To Expire At End Of Session?

Sep 17, 2010

I'm surprised i couldnt find any answers.

How do i set my sessionid in my cookie to expire at the end of session? (when the browser closes or the user has been inactive for a period of tie).

The two solutions i found were

(httpcookie).Expires = HttpContext.Current.Session.Timeout

Which gave me a compile error so i dont know if the user checked his code before posting. And the other was to set the expire date to 1 day ago which my gut says is wrong. How do i do this?

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved