I'm working on a multi tenant web application and primarily using .NET Framework 4.6 (MVC and ASP.NET Identity 2.0). Here's my implementation:
User visits foo.com to login. I am using following code in foo.com Startup.Auth.cs:
var cookieOptions = new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/account/login"),
CookieDomain = ".foo.com"
};
app.UseCookieAuthentication(cookieOptions);
And exact same machine key on both applications (foo.com as well as username.foo.com), here's my sample machine key:
<machineKey validationKey="xx" decryptionKey="xx" validation="SHA1" decryption="AES" />
To login i'm using following code:
signInManager.SignIn(user, isPersistent: false, rememberBrowser: false);
My other application username.abc.com is multi tenant, i.e. username can be anything. I'm using below code in username.abc.com Startup.Auth.cs:
var cookieOptions = new CookieAuthenticationOptions
{
ReturnUrlParameter = "redirectto",
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/account/login")
};
app.UseCookieAuthentication(cookieOptions);
Notice, i'm not using cookies domain, because it can be anything or maybe user has started using his own domain (let's consider user is still using foo.com subdomain).
With this code, user is successfully login and redirected on his username.foo.com, but as soon as he clicks on logout on username.foo.com, page just reloads and nothing happens. Here's what i'm using in logout action:
authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
//authenticationManager.SignOut();
We have another option to login and logout from username.foo.com too, so when user login directly from username.foo.com, he can logout successfully. Issue occurring only when user login from foo.com.
From infrastructure point, foo.com is not load balanced but username.foo.com is running through load balancer (on production). But i don't think this will be issue, because i'm running both applications on single staging environment with same issue.
I tried custom CookieAuthenticationProvider implementation also, but it has similar issue.
Please help.
You can not change a cookie for .foo.com from username.foo.com. It's in the RFC2109.
4.3.2 Rejecting Cookies
- A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot.
You must change your workflow. you can redirect your users to foo.com with redirect_url in order to signout and after successful signout redirect them to redirect_url which is in username.foo.com.