SharePoint: Change the FedAuth Cookie name
When using Trusted Provider (SAML / WS-Fed) authentication within SharePoint, we use a browser cookie to keep you authenticated. The default name of that cookie is “FedAuth”.
If you have multiple web applications and / or multiple SharePoint farms that use Trusted Provider auth, using the same cookie name for all of them can cause problems when users navigate between them.
Examples of “problems” include:
- Users are forced to re-authenticate more often than expected.
- Users get stuck in an endless authentication loop.
To prevent possible problems like that, it is recommended to name the FedAuth cookie differently for each web application. That way, the browser can keep them straight and will not present the wrong cookie to the wrong web application. You can do that with a simple update to the web.config file. You just add a “name=whateverYouWantToNameTheCookie” property to the “<cookieHandler” tag near the end of the file.
Example:
<cookieHandler mode=”Custom” path=”/” name=”J16FedAuth“>
<customCookieHandler type=”Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</cookieHandler>
Important:
You will need to make this same change on each of your web-front-ends. To keep it consistent across all WFEs, you may look into doing it programmatically with SPWebConfigModification.
References: