ASP.Net_SessionId cookie across subdomains using IE11

Question

I have two ASP.NET websites: new.somecompany.com and legacy.somecompany.com.

"New" is an intranet application that uses Windows Authentication. "Legacy" is both internet and intranet; it uses Forms Authentication.

From within the "New" website, my boss would like to be able to click on a link and open up a browser window to an already logged in webpage on the "Legacy" site. (He wants this done without changes to the legacy site.)

I have a solution that work with both Chrome (version 39.0.2171.95 m) and Firefox (version 33.1.1), but not with Internet Explorer (version 11.0.9600.17501). At a high-level, the solution is:

1. A controller on "new" uses a HttpWebRequest to login to "legacy" using stored credentials.
2. The controller gets the "ASP.Net_SessionId" cookie from the "legacy" response and uses it to set "ASP.Net_SessionId" cookie for domain ".somecompany.com" in the browser.
3. From the browser, go to https://legacy.somecompany.com/somepage.aspx.

With Chrome and Firefox, the https://legacy.somecompany.com/somepage.aspx is displayed as appropriate for the stored credentials that were used to login. With IE 11, the login page is displayed.

I used Microsoft's Message Analyzer tool to see what is being passed back and forth. With Chrome, I see the ASP.Net_SessionId cookie being sent in the HTTP request for somepage.aspx. With IE 11, the cookie is not being sent and I get a redirect to the login page as a response.

Is there anything that I can do to get this to work in IE 11?

Answer 1

This blog gave me the answer. In particular, this paragraph:

Problem #3 occurs on Windows Vista and above, when you have configured one subdomain to run outside of Protected Mode (e.g. put it in the Trusted Zone) and another related subdomain to run inside of Protected Mode (e.g. left it in the Internet Zone). This isn’t terribly common, but might occur if you, for instance, put login.live.com in the Trusted Zone but didn’t put mail.live.com in the Trusted Zone. The root cause of this obscure problem is that Protected Mode and non-Protected Mode do not share cookies, and hence a cookie set by a site outside of Protected Mode will not be visible to a site running inside Protected Mode, and vice versa.

In my case, "new.somecompany.com" was in the local intranet zone in IE's settings, but "legacy.somecompany.com" was not. After adding "legacy.somecompany.com" to the intranet zone, my code worked in IE 11.