I’m working on a multi-tenant ASP.NET MVC application.
So far we have been using HttpContext to store a few objects for the request (technically partitioned by tenant).
However, we will need to use TempData (uses Session) and set authentication cookies.
Our spec:
- A tenant can have multiple urls (tenant1.myapp.com or mycustomdomain.com)
- Authentication cookies should NOT be shared by tenants
- Ideally, a tenant’s authentication cookie should be shared by any one of their urls
Is Session domain aware? It seems to be.
Can I set multiple domains on an authentication cookie?
Advice on anything else that may catch me out would be appreciated. Really I just need to understand what needs to be partitioned for each tenant (up to now I’ve partitioned the file system, database and cache per tenant).
Thanks
Ben
By default Session is tracked by cookies and because cookies are restricted to the same domain the session is not only domain aware but also application-aware meaning that if you have two applications on the same domain they won’t share session.
No. Cookies cannot be shared between domains. But contrary to sessions you can share them among multiple applications on the same domain (by setting the
domainattribute to the top level domain in the<forms>tag in web.config). This is what allows to achieve single sign on between applications on the same domain. If you wanted to achieve single sign on between applications on different domains you will need different approach.