Programmatically set cookie domain per user in ASP.NET MVC

C

Coamfoumn

New Member
I have an ASP.NET MVC web app that needs to be able to set the auth cookie's domain per user, rather than setting it in the web.config for the entire web application.Here is what I currently have set:\[code\]<httpCookies domain=".mydomain.com" />\[/code\]Scenario 1When a user first comes to the site, they are on www.mydomain.com. If they login to the main section of our site, they will stay on www.mydomain.com, the login will call:\[code\]FormsAuthentication.SetAuthCookie(user.Id + "|" + user.EmailAddress + "|" + user.Role.ToString() , true);\[/code\]...and the cookie will be set correctly, as www.mydomain.com matches the cookie domain of .mydomain.com, all is well.Scenario 2The user can also register for their own section of our site, which would be companyname.mydomain.com. Under this scenario, if they login from either www.mydomain.com or companyname.mydomain.com, the cookie will be set fine, as again, it matches the cookie domain of .mydomain.com.Scenario 3 (The problem)However, the user has the option to point their own domain name to our site, and have it mirror what they would see if they went to companyname.mydomain.com. So let's say they register the domain companyname.com, point its A record to our server, and then specify on our site that they want to have their url be companyname.com instead of companyname.mydomain.com. They go to companyname.com, it shows the login page for their section of our site. Now they try to login, and of course, it doesn't work, as companyname.com doesn't match our cookie domain of .mydomain.com.Why don't we just not set the httpCookies domain in the web.config altogether? Because then if they're on www.mydomain.com and try to login to companyname.mydomain.com, it will fail, as the cookie will be for www.mydomain.com.We need some way to say, hey this user's request is coming from a domain other than mydomain.com, set the domain for this user's FormsAuthentication cookie to their domain name rather than .mydomain.com.Any ideas??
 
You must log in or register to reply here.
Back
Top