Cross Domain Cookies With FormsAuthentication

Question

I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie.

We are using and have

Answer 1

It is not possible with out of the box ASP.NET.

Forms based authentication is based on a cookie and cookies can only be set to a specific domain.

If you want true cross domain (not sub domains) shared authentication, you need a Single Sign On solution.

I've rolled my own and it's relatively simple. The basic principle is that you have a master domain which holds your authentication cookie (ticket). You then redirect to that domain from all other domains. It's not really pretty, but event Microsoft Passport worked that way.

You can find a lot of examples on the net, take a look at these two links:

Authentication cookies

Cross domain authentication