Products and Services
Graffiti CMS
Learn more about our simple content publishing platform.
Harvest Reporting Server
Get business intelligence tools for measuring online behavior.
Professional Services
Consulting, creative, and Web services from the people who know Community Server best.
Solutions
Telligent
Learn more about our team at Telligent.com.
 

Forms Authentication Check

When using the Forms Authentication module, there are a couple areas to check when troubleshooting any issues you might encounter when setting it up. 

Authentication ticket name

The most common issue when using Forms Authentication is that the name of the cookie used for the authentication ticket is different between the two applications.  Forms Authentication works by creating a cookie that contains basic information about the user. The name of the cookie is set in the web.config file. In ASP.NET, the default name is .ASPXAUTH; however, Community Server’s out-of-the-box web.config sets it to .CommunityServer. If the two applications do not have the same name set, then the other application will not recognize the authentication ticket from the main application.

You can change either the main application to match Community Server’s setting by changing its <form> line in the web.config file to .CommunityServer; or you can change Community Server to use the same setting as your own application by changing its web.config to use .ASPXAUTH or whatever it has specified.  For example:

<authentication mode="Forms">

<forms name=".CommunityServer" ... />

</authentication>

Machine Keys

When using Forms Authentication between two ASP.NET applications, you must ensure that the machine keys between the two applications match. The machine keys are used to encrypt and decrypt the information within the authentication ticket. If they do not match, one application will not be able to utilize the other application’s authentication ticket.

The machine keys are set within the <system.web> section of the web.config file. A sample machine key section looks like this:

<machineKey
  validationKey="CFBAC2E26EB8...174C6901CE50D"
  decryptionKey="43AEA5079E…97035372A"
  validation="SHA1" />

Cookie Paths

A frequent issue with the cookie created for the authentication ticket is the path on the cookie. Typically, an application will create the cookie with its path set to its own application path. So if your application is at /app and Community Server is at /cs, when you set the authentication cookie within /app, ASP.NET will automatically set the cookie’s path to /app. Then the browser will only pass the cookie along to page requests under /app, and not to /cs. To get it to carry over, you will need to set the cookie’s path to /, so that it will be accessible between the two applications.

You can specify the cookie’s path in the web.config file or through code. To set it in the web.config file, use the path attribute on the <forms> line in the parent application's web.config file, as show in the following example:

<authentication mode="Forms">
  <forms name=".CommunityServer" ... path="/" />
</authentication>

You can also set the path in code when you use the GetAuthCookie method of FormsAuthentication instead of just the SetAuthCookie method when creating the cookie in the parent application. For example:

HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, true);
cookie.Path = "/";
Response.Cookies.Add(cookie);

Cookie Domains

Another common issue with the cookie for the authentication is the domain for the cookie. If the cookies are created on two different sub-domains, then the cookie will only be accessible on the domain it was created. For instance, your main application may be on www.domain.com, but you have Community Server running on cs.domain.com. If you create the cookie on www.domain.com, the browser will send it to that domain and it will not be passed along when they navigate over to cs.domain.com.

The cookie can be carried over by setting the domain to .domain.com. Cookies do not use the common “*” wildcard. Simply use .domain.com. With this, the browser will not pass the cookie when it goes over to cs.domain.com as well.

Like the path, the domain can be specified in either the web.config file or through code.  To set it in the web.config file, use the domain attribute on the <forms> line in the parent application's web.config file, such as:

<authentication mode="Forms">
  <forms name=".CommunityServer" ... domain=".domain.com" />
</authentication>

You can set the domain in code when using the GetAuthCookie method to create the cookie in the parent application. For example:

HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, true);
cookie.Domain = ".domain.com";
Response.Cookies.Add(cookie);

Related Links

Intelligent Conference 2008