When running the application standalone (just kestrel server running on a specified port in my case :3001) I can login (creating an auth cookie) and use my session without issue to make subsequent calls to my API controllers. However once I publish the application to host via IIS I can login without issue but all subsequent request to my API controllers fail authorization and redirect to login.
To demonstrate my issue I have stripped my application down to a working sample that can be found here: Angular2AspNetCoreStarter
To reproduce:
cd Angular2AspNetCoreStarter
dotnet restore
& npm install
npm run build
dotnet publish
http://localhost/ng2starter
)I've inspected the logs and the error I find in the kestrel logs is :
CookieAuth was not authenticated. Failure message: Unprotect ticket failed
FYI 'CookieAuth' is the scheme's name which I defined in the appsettings.json file.
Let's implement the Cookie Authentication in ASP.NET Core step by step. Open the Visual Studio and click on Create a new Project. Select ASP.NET Core Empty project and click on next. Give a name to your Project, select the location for the project creation, and click on Next.
Session. .AspNet.ApplicationCookie. ASP.NET application identity. Identifies an individual user session for the purposes of enabling authentication. Additionally stores the Passport authentication token for the logged in user and the id of the application that the user is accessing.
I think the problem might be left over or overlapping cookies from a different "localhost" application with the same cookie name. I ran your sample in IIS and was getting the same 401 error from the ping and then noticed in chrome a bunch of localhost cookies with that same default name
.AspNetCore.CookieAuth
I cleared out all of the cookies and then ran your sample again and got back a "PONG"
The cookies that get created when you're using IISEXPRESS localhost:PORT
will also come down when you're running in IIS with just localhost, so my guess is that the IISEXPRESS cookies are being sent to the IIS instance and since you have ephemeral data protection they aren't going to be able to decrypt.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With