I am developing a Single Sing-On application. I followed the instructions to share/set the cookie to the parent domain, share machine keys, so, the applications (all under the same 4th level domain, the documents says this will only work for the 2nd, and 3rd level domains, but somehow, this approach works for our 4th level domain) will be able to share the authentication cookie.
The users suppose to hit one of the applications. In the web.config file for the apps, the loginUrl is set the the login page at the SSO website, enableCrossAppRedirects="true", and the defaultUrl is set to the welcome page at the app's website.
But, what happened is, ASP.NET ignores all the defaultUrl settings (at the SSO site and application site), it always redirects to the Default.aspx which is the default setting for the forms authenitcation. I tried to do a Reponse.Redirect in the Authenticaion event handler, but the SSO app won't listen to that command.
I have a work-around which is using the Default.aspx page in the SSO application and do a Response.Redirect in the code behind. But I do not understand why Microsoft have it done that way. Is there any security risks if not forcing the redirects back to the default.aspx? or is this a bug?
View Complete Post