Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OWIN Authentication cookie sharing between ASP.NET MVC and Webforms Applications with same MachineKey

Tags:

authentication

asp.net-mvc

owin

webforms

single-sign-on

I have a legacy webforms application and are building out a new MVC version to replace it. Both need to run side by side for some time and I need single sign on to work. Previously, the users logged in via the webforms application and I was successfully able to set forms authentication such that the MVC application could authenticate via the cookie.

New login forms are now completed in the MVC app and users will now be required to login from these. The MVC application uses Identity 2.x and OWIN. I originally attempted to configure the OWIN cookie to match match the settings in the legacy webforms app but could not get the webforms app to read the cookie and authenticate a user.

Since then I decided to install Indentity 2.x and OWIN into the webforms application. I have made the settings identical. Expiry is 30 mins and the Domain is "" and Path is "/". I can see the cookie being generated from the MVC app but it isn't being picked up by the webforms application. I keep receiving the Access Denied message.

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            CookieName = Settings.Default.CookieName,
            CookiePath = Settings.Default.CookiePath,
            CookieDomain = Settings.Default.CookieDomain,
            LoginPath = new PathString(Settings.Default.CookieLoginPath),
            ReturnUrlParameter = Settings.Default.CookieReturnUrl,
            ExpireTimeSpan = Settings.Default.CookieExpireTimeSpan,
            SlidingExpiration = Settings.Default.CookieSlidingExpiration,
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

I have left the machinekey settings (which previously worked for forms authentication) the same. I did however removed the forms authentication from both configuration files.

Have I mis-configured something or is there more configuration required to enable sharing of the OWIN cookie between applications with the same machinekey?

UPDATE

  1. Created a new webforms application with Individual User Accounts.
  2. Added the MachineKey
  3. Changed the configuration of the MVC app the standard settings (replicating a new project)

The new webforms app lists the cookie but will still not authenticate the user.

UPDATE See answer below.

like image 398
Atters Avatar asked May 20 '15 09:05

Atters

1 Answers

After creating two new applications and getting this to work I hade a baseline and worked backwards from there until I achieved the goal of Single Sign on between the appications. I discovered many things including;

  1. The MachineKey is not required for single sign on between app for 4.5 and above. <httpRuntime targetFramework="4.5"/> is all you require.
  2. Turn forms authentication off
  3. And most importantly don't attempt to integrate Identity 2.x and OWIN manually by copying from a base project as you are likely to miss a namespace or important file. The project will build and run and literally drive you bonkers whilst you try to find what you missed. Use the nuget packages and delete what you don't need.

So in the end I did need to add Identity 2.x and OWIN into my legacy webforms app, basically upgrading to the new authentication pipeline in 4.5 to make it work.

Hope this post helps save somebody some valuable time and effort.

IMPORTANT UPDATE: When attempting to deploy in IIS even though you do not have any machine keys specified in the configuration (and that works locally) it won't work when deployed. In the end I used the MVC app as the parent and the legacy webforms app as a child and this required that the parent app have the following configured;

<machineKey decryptionKey="AutoGenerate" validationKey="AutoGenerate" />
like image 152
Atters Avatar answered Oct 17 '22 17:10

Atters
Sign in to Comment

Related questions

RedirectToAction to different controller without changing URL
XML Spreadsheet into Excel using MVC, Cell format always General, how to change?
How to add a span tag in an a tag using Html.ActionLink
How should customize ASP.Net Identity
Deploying an ASP.NET MVC in production, while users are still online
Exposing Large Data Models via OData and WebAPI
Passing a model between several views/controllers in ASP MVC 4
Is it possible to see a list of executing functions in Visual Studio while debugging without breaking?
Visual Studio 2013 Autoformat (CTRL K D) lower case issue with cshtml
IdentityUserLogin does not contain a definition for User
The value 'XX/YY/ZZZZ" is not valid for DateTime variable
Does ASP.NET MVC executes requests in queue or simultaneously
Are all phases of an ActionFilterAttribute guaranteed to be called?
Custom Asp.net mvc 5 authentication without using Microsoft.AspNet.Identity.EntityFramework
Double authentication with Web app & Web API needed?
Knockout group list into smaller lists with objects
Migrating to Grunt/Bower from ASP.NET MVC bundling?
SignalR between initial load and updates
Add roles to ADFS IPrincipal
OutputCache VaryByParam is varying by parameter that isn't supposed to be included

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!