Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

.Net Core Cookie Authentication Not Working When hosted in IIS

When running the application standalone (just kestrel server running on a specified port in my case :3001) I can login (creating an auth cookie) and use my session without issue to make subsequent calls to my API controllers. However once I publish the application to host via IIS I can login without issue but all subsequent request to my API controllers fail authorization and redirect to login.

To demonstrate my issue I have stripped my application down to a working sample that can be found here: Angular2AspNetCoreStarter

To reproduce:

  1. clone the repo
  2. navigate into project directory cd Angular2AspNetCoreStarter
  3. install dependencies dotnet restore & npm install
  4. build npm run build
  5. publish dotnet publish
  6. Host via IIS Publishing to IIS
  7. Navigate to hosted site (in my case it was @ http://localhost/ng2starter)
  8. Login with any username/password
  9. Open side navigation
  10. Click Send Anonymous Ping (notice it works! I used Fiddler to inspect traffic)
  11. Click Send Ping (notice the 401 and redirect to login)

I've inspected the logs and the error I find in the kestrel logs is : CookieAuth was not authenticated. Failure message: Unprotect ticket failed
FYI 'CookieAuth' is the scheme's name which I defined in the appsettings.json file.

like image 396
wickdninja Avatar asked Dec 15 '16 19:12

wickdninja


People also ask

How do I use cookie authentication in .NET Core?

Let's implement the Cookie Authentication in ASP.NET Core step by step. Open the Visual Studio and click on Create a new Project. Select ASP.NET Core Empty project and click on next. Give a name to your Project, select the location for the project creation, and click on Next.

What is AspNet ApplicationCookie?

Session. .AspNet.ApplicationCookie. ASP.NET application identity. Identifies an individual user session for the purposes of enabling authentication. Additionally stores the Passport authentication token for the logged in user and the id of the application that the user is accessing.


1 Answers

I think the problem might be left over or overlapping cookies from a different "localhost" application with the same cookie name. I ran your sample in IIS and was getting the same 401 error from the ping and then noticed in chrome a bunch of localhost cookies with that same default name

.AspNetCore.CookieAuth

I cleared out all of the cookies and then ran your sample again and got back a "PONG"

The cookies that get created when you're using IISEXPRESS localhost:PORT

will also come down when you're running in IIS with just localhost, so my guess is that the IISEXPRESS cookies are being sent to the IIS instance and since you have ephemeral data protection they aren't going to be able to decrypt.

like image 126
Shane Neuville Avatar answered Oct 24 '22 06:10

Shane Neuville