All geek questions in one place

Sharing a session cookie through two domain names

I have a .net web application with the following domains: www.domain.com sub.domain.com files.domain.com

When a user logged on to domain.com or sub.domain.com, I would like them to share session state (i.e., they were registered in both domains at the same time). This can be done by setting the domain in the coookie session as ".domain.com". However, my problem is that the "files.domain.com" domain should not have session state due to security problems (xss attacks from user files hosted in this domain are a problem).

Is it possible in ASP.NET to use the same asp.net session identifier for these two domains, but not the third?

Thanks in advance!

+3
source share
5 answers

Here are a few options that come to mind:

# 1 - Submit your login request to both applications using the client side of the script. This will allow you to set cookies for both valid domains at the same time. This avoids the XSS problem that you are bothering with by creating cookies for specific domains that you want your users to authenticate to.

# 2 - Move your "insecure" site to another domain. For example: www.domain-files.com. With this option, you can use a common cookie to control authentication.

+3
source

cookie cookie . ASP.NET . cookie , cookie cookie, domain.

, , - machineKeys web.config . , , www.domain.com, , www.domain.com, sub.domain.com , cookie. cookie - files.domain.com, , .

+2

, , , XSS? , .

javascript, . , someoe , javascript .

joe.liedtke, , files.domain.com .

+1

: asp.net

As mentioned below, only applications with corresponding machine keys can authenticate with each other. Thus, if a different machine key is specified for the .domain.com file, it will not be able to decrypt the session cookie, and there is no right to other domains

0
source

Perhaps this will accomplish your task to store the Guid value in a cookie directly using Response.Cookies, and then query your database based on that value in order to get general authentication information.

0
source

Source: https://habr.com/ru/post/1786353/

More articles:


All Articles