Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forms Authentication Across Applications has no cookie

I have two applications. The first one is an ASP.NET 4 MVC application that requires authentication. The second is an app that will handle the authentication and set the forms authentication cookie.

On the authorizing app, I call

FormsAuthentication.SetAuthCookie(username, false);

and then I do a simple Response.Redirect back to my MVC application.

In the MVC app, I am making a custom filter that inherits from AuthorizeFilter. On the OnAuthorization method, I was going to decrypt the cookie and grab some additional user data from the authorized user.

My problem is, that

HttpContext.Current.Request.Cookies

has nothing in it. I have checked out fiddler, and the authentication app correctly sets the cookie, and the MVC application gets the cookie, but when it gets to my filter, there is nothing there.

My web.config has in both applications has the exact same setup:

      <forms
    name=".ASPXFORMSAUTH"
    protection="All"
    path="/"
    timeout="30"
    enableCrossAppRedirects="true"
    domain="localhost"/>

And I have setup both with the same machineKey to be able to decrypt the cookie. The problem is, I am not seeing any cookie in my OnAuthorization method within my MVC filter.

Right now both applications are running on my local IIS instance.

like image 937
Justin Rassier Avatar asked Dec 04 '13 21:12

Justin Rassier


People also ask

How are cookies used in forms?

Cookies are small text files stored in a web user's browser. The cookies used by WS Form contain no identifiable information and are used to personalize a users experience when completing forms.

Where is authentication cookie stored?

Cookie-based Authentication The cookie is typically stored on both the client and server. The server will store the cookie in the database, to keep track of each user session, and the client will hold the session identifier. Cookie-based authentication works like this: User logins by entering credentials.

What is forms authentication and Windows authentication?

Forms authentication is where the user is required to login with credentials just for the web site. Windows authentication is for when the web site will accept the user's Windows credentials for login purposes.


1 Answers

All the weird behavior was due to the httpRuntime between each application being different. My MVC application was set to 4.5 while my application that was setting the cookie was 4.0. Apparently there was a change in how the crypto happens behind the scenes, and therefore when the cookie came through the pipeline, it would get stripped out as ASP.NET couldn't decrypt it.

I came across this when I manually tried to decrypt the cookie by setting the name property different. That way I could access the cookie and try to dectypt, but at that point I would get an exception.

I found the following link led me in the right direction: Sharing a cookie between two websites on the same domain

By setting the compatibility mode setting on the machine key, the cookie came through just fine and could be decrypted.

like image 134
Justin Rassier Avatar answered Nov 15 '22 09:11

Justin Rassier