Menu
Here's the situation:
I'm trying to share a cookie (forms authentication) between the websites.
I'm not using Forms Authentication per-se. I'm using the built-in methods (Encrypt, Decrypt, etc), but I'm setting my own custom cookie.
When I set the cookie on one of the websites, the other ones sees the cookie, but can't decrypt it. The error is the generic "Error occurred during a cryptographic operation".
What I've ensured:
I've done this before and it works fine, but in that scenario both applications were sharing the same code base.
In this instance, they are separate applications. This is because i am prototyping a solution where two platform-independent applications on the same top level domain can share a authentication cookie.
Can anyone tell me what i's missing, or provide an alternative solution.
I've read all the related questions, but the answer is usually 2) above.
479
HTTP cookies currently in use are governed by the same origin policy that directs Web browsers to allow cookie sharing only between Web sites in the same DNS domain. As Web applications get richer, data sharing across domain boundaries becomes more important.
Cookies are meant to be accessed by only one domain. You can however mock that domain and 'Hack' into the browser. It's not recommended and some browsers have tighter security and don't allow that.
Yes, one domain can generate many cookies. The maximum number varies by browser.
To share a cookie between domains, you will need two domains, for example myserver.com and slave.com . One of the domains will issue the cookies and the other domain will ask the first domain what cookie should be issued to the client.
When you create a new ASP.NET 4.5 (e.g ASP.NET MVC 4) application, the following line is added to the web.config:
<httpRuntime targetFramework="4.5" />
This was not present in my other application, possibly because my other application was an ASP.NET 3.5 application which was upgraded to 4.5.
Removing that line in the new ASP.NET web application fixed the problem.
I think this is due to the compatability mode value: http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx
Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".
Not sure i get how removing that line solved the problem. I assume application one has a different compatability mode, since it didn't have that httpRuntime element.
118
The Best way to handle this is to make machinekey decryption fall back to Framework20SP2
From this article : http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx
Just add that attribute to machinekey in your .net 4.5 application
<machineKey validationKey="" decryptionKey="" validation="SHA1" compatibilityMode="Framework20SP2" />
you won't need to remove targetFramework="4.5" from httpruntime now.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
