FormsAuthentication.SetAuthCookie not setting Path or Domain?

Question

I have a web app can be installed on lots of domains and paths.

So:

• client1Name.{mySite.com}
• client2Name.{mySite.com}
<

Answer 1

I've had to do a lot of digging, but is looks like the reason FormsAuthentication.SetAuthCookie doesn't support this is because it shouldn't - IIS should never set paths on authentication cookies, and here's why...

Cookie paths are case-sensitive, so:

• http://site/path
• http://site/PATH

Are 2 different cookies for the browser - none of them (IE, FX, Safari, Opera or Chrome) will send /PATH's cookie to /path or vice versa.

IIS is case-insensitive, but will always reset the URL to the ASP application name's case.

This means that if the IIS application is called "PATH" and the user goes to http://site/path then they will be redirected to log-on at http://site/PATH/LogOn?ReturnUrl=/path by IIS/ASP.Net

After a successful log-on the user gets redirected back to the ReturnUrl specified, so:

1. User goes to http://site/path
2. Gets sent to http://site/PATH/LogOn?ReturnUrl=/path by IIS
3. Enters log-on details and submits
4. Response sets the cookie to /PATH and the location to /path (as defined by ReturnUrl)
5. Redirected back to http://site/path
6. Browser doesn't recognise /path, it only has a cookie for /PATH and so sends nothing!
7. No cookie sent to application, so it serves a redirect back to http://site/PATH/LogOn?ReturnUrl=/path
8. Go to step 2 and repeat.

This creates a problem for users if they have http://site/path as the URL for the application they will never appear to be able to log-on.

Further to this if they're already logged on to http://site/PATH and get sent a URL, say an email to a http://site/path/resource/id, they will get asked to log on all over again and won't be able to get to the new path.

This means that unless you need /PATH and /path to be completely different sites (unlikely outside certain UNIX only environments) you should never set the path property on authentication cookies.