I am using the default ASP.NET authentication solution. Now I have subdomains on my server (eg. example.com, blog.example.com, forum.example.com...) The login occurs on example.com, and gives out an authentication cookie. But when I go to forum.example.com I am redirected to login. Is there a configuration settings to making the login work for *.example.com?
It's worth noting that the cookies are issued as "example.com" for the domain. So I changed it to ".example.com" based on some reading开发者_JS百科, and now sub-domain authentication works. Anyone able to explain?
According to RFC 2109, if you do not prefix a dot on the domain, it is invalid and the cookie should be rejected. From RFC 2109
Domain=domain Optional. The Domain attribute specifies the domain for which the cookie is valid. An explicitly specified domain must always start with a dot.
4.3.2 Rejecting Cookies
To prevent possible security or privacy violations, a user agent
rejects a cookie (shall not store its information) if any of the
following is true:
* The value for the Path attribute is not a prefix of the request-
URI.
* The value for the Domain attribute contains no embedded dots or
does not start with a dot.
精彩评论