Menu
See update at bottom of question
I have an ASP.NET 2.0 web application (say https://mysite.somedomain.com/) which uses forms authentication. I wish to integrate an ASP.NET 4.0 web app within this site, based at https://mysite.somedomain.com/NewApp/. Forms Auth is working on the outer app, but the inner app is rejecting the cookie.
web.config on the outer (ASP.NET 2.0) web app contains:
<httpCookies requireSSL="true"/>
<authentication mode="Forms">
<forms name="MySiteWebAuth" loginUrl="/Login.aspx" protection="All"
path="/" timeout="90" requireSSL="true" slidingExpiration="true"/>
</authentication>
<machineKey (same machine key is in both configs)
validation="SHA1"
decryption="AES"/>
<authorization>
<deny users="?"/>
<allow users="*" />
</authorization>
web.config on the inner (ASP.NET 4.0) web app contains:
<authentication mode="Forms">
<forms name="MySiteWebAuth" loginUrl="/Login.aspx" protection="All"
path="/" timeout="90" requireSSL="true" slidingExpiration="true"
ticketCompatibilityMode="Framework20"/>
</authentication>
<machineKey (same machine key is in both configs)
validation="SHA1"
decryption="AES"/>
This is the code in Login.aspx.cs that sets the cookie on successful authentication:
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket(
1,
ApplicationContext.User.Identity.Name,
DateTime.Now,
DateTime.Now.AddMinutes(90),
false,
ApplicationContext.User.Identity.SessionID.ToString()
);
HttpCookie cookie =
new HttpCookie(
FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(ticket)
);
cookie.Path = FormsAuthentication.FormsCookiePath;
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
If I log into the outer web app, then navigate to a page within the inner web app, it does a redirect to the login page and writes Forms authentication failed for the request. Reason: The ticket supplied was invalid. to the event log on the server.
How do I get the ASP.NET 2.0 Forms Auth ticket to be accepted by the inner ASP.NET 4.0 web app?
Update: It works under HTTPS IIS 7.5, but not under HTTPS IIS 7.0. Doing some more investigation.
Update 2: We have applied Server 2008 SP2 to the server along with the recent patch for the hash-collision DoS and since then the cookie sharing has worked.
855
SetAuthCookie() sets a browser cookie to initiate the user's session. It's what keeps the user logged in each time a page is posted to the server. createPersistentCookie creates a persistent cookie that doesn't expire when the browser is closed, so the user can return to the site and be logged in automatically.
To change the authentication type to forms authentication, then, we need to modify the <authentication> element's mode attribute to Forms.
In addition to keeping nearly all of the aforementioned values the same, you'll need to set the machineKey element's compatibilityMode attribute in the 4.0 application's configuration file:
<machineKey compatibilityMode="Framework20SP2" validationKey="THE_KEY" decryptionKey="ANOTHER_KEY" validation="SHA1" />
I'm assuming you read this - http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx - perhaps remove the ticketCompatibilityMode attribute from your 4.0 app, or at least make sure they're the same.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
