asp.net - Proper creation of a cross-domain forms authentication cookie

Question

I'm just creating a simple test between two server. Basically if a user has already authenticated I want to be able to pass them between applications. I changed the keys to hide them

I have three questions:

1. What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for?
2. Is the below code valid for creating a cross domain authentication cookie?
3. Do I have my web.config setup properly?

My code:

if (authenticated == true)
{
  //FormsAuthentication.SetAuthCookie(userName, false);
  bool IsPersistent = true;
  DateTime expirationDate = new DateTime();
  if (IsPersistent)
    expirationDate = DateTime.Now.AddYears(1);
  else
    expirationDate = DateTime.Now.AddMinutes(300); 

  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
      1,
      userAuthName,
      DateTime.Now,
      expirationDate,
      IsPersistent,
      userAuthName,
      FormsAuthentication.FormsCookiePath);

  string eth = FormsAuthentication.Encrypt(ticket);
  HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, eth);
  if (IsPersistent)
    cookie.Expires = ticket.Expiration;

  cookie.Domain = ".myDomain.com";
  Response.SetCookie(cookie);
  Response.Cookies.Add(cookie);

  Response.Redirect("successpage.aspx");
}

My config:

<authentication mode="Forms">
  <forms loginUrl="~/Default.aspx" timeout="2880" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
</authentication>
<customErrors mode="Off" defaultRedirect="failure.aspx" />
<machineKey decryptionKey="@" validationKey="*" validation="SHA1"  decryption="AES"/>

Answer 1

What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for ?

There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx . This will work provided your cookie matches the configuration of your web.config

Is the below code valid for creating a cross domain authentication cookie ?

I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )

1. here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
2. FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior

Your code should just be :

if (authenticated)
{  
  bool isPersistent = whateverIwant;
  FormsAuthentication.SetAuthCookie(userName, isPersistent );
  Response.Redirect("successpage.aspx");
}

Do I have my web.config setup properly?

It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )

I would change the timeout and slidingExpiration attributes to :

 <forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>

I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See https://stackoverflow.com/a/3748723/1236044 for more info