Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

.Net Core Cookie Authentication Not Working When hosted in IIS

Tags:

asp.net

iis

angular

.net-core

When running the application standalone (just kestrel server running on a specified port in my case :3001) I can login (creating an auth cookie) and use my session without issue to make subsequent calls to my API controllers. However once I publish the application to host via IIS I can login without issue but all subsequent request to my API controllers fail authorization and redirect to login.

To demonstrate my issue I have stripped my application down to a working sample that can be found here: Angular2AspNetCoreStarter

To reproduce:

  1. clone the repo
  2. navigate into project directory cd Angular2AspNetCoreStarter
  3. install dependencies dotnet restore & npm install
  4. build npm run build
  5. publish dotnet publish
  6. Host via IIS Publishing to IIS
  7. Navigate to hosted site (in my case it was @ http://localhost/ng2starter)
  8. Login with any username/password
  9. Open side navigation
  10. Click Send Anonymous Ping (notice it works! I used Fiddler to inspect traffic)
  11. Click Send Ping (notice the 401 and redirect to login)

I've inspected the logs and the error I find in the kestrel logs is : CookieAuth was not authenticated. Failure message: Unprotect ticket failed
FYI 'CookieAuth' is the scheme's name which I defined in the appsettings.json file.

like image 396
wickdninja Avatar asked Dec 15 '16 19:12

wickdninja

People also ask

How do I use cookie authentication in .NET Core?

Let's implement the Cookie Authentication in ASP.NET Core step by step. Open the Visual Studio and click on Create a new Project. Select ASP.NET Core Empty project and click on next. Give a name to your Project, select the location for the project creation, and click on Next.

What is AspNet ApplicationCookie?

Session. .AspNet.ApplicationCookie. ASP.NET application identity. Identifies an individual user session for the purposes of enabling authentication. Additionally stores the Passport authentication token for the logged in user and the id of the application that the user is accessing.

1 Answers

I think the problem might be left over or overlapping cookies from a different "localhost" application with the same cookie name. I ran your sample in IIS and was getting the same 401 error from the ping and then noticed in chrome a bunch of localhost cookies with that same default name

.AspNetCore.CookieAuth

I cleared out all of the cookies and then ran your sample again and got back a "PONG"

The cookies that get created when you're using IISEXPRESS localhost:PORT

will also come down when you're running in IIS with just localhost, so my guess is that the IISEXPRESS cookies are being sent to the IIS instance and since you have ephemeral data protection they aren't going to be able to decrypt.

like image 126
Shane Neuville Avatar answered Oct 24 '22 06:10

Shane Neuville
Sign in to Comment

Related questions

Model could not be found
MVC WebApi HttpGet with complex object
How to load local files if CDN is not working
Referencing an unstable DLL
When is destructor called for C# classes in ASP.NET?
What is the relationship between Application Pools and worker process threads?
Securely implementing two factor authentication
How to call a stored procedure using ado.net
ASP.NET machinekey set keys in code
Generating PDFs using Phantom JS on .NET applications
How to execute async 'fire and forget' operation in ASP.NET Web API [duplicate]
Strongly-typed binding to a DropDownListFor?
Linq Query using Contains and not contains
Google Calendar API, Adding an event to someones calendar just by knowing their e-mail address
Change the height and width of text area
How to check if user already exists on client-side in ASP.NET MVC 5?
ASP.NET 500 Internal Server Error while calling webmethod from javascript
.NET MVC 6 / vNext UserValidator to allow alphanumeric characters
AngularJS: route provider changes "/" into %2F [duplicate]
Injecting into constructor with 2 params is not working

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!