Sharing Authentication Cookie in ASP.NET 5 across subdomains

Question

I have two ASP.NET 5 MVC 6 applications.

One is running at www.mydomain.tld and one at world1.mydomain.tld.

If a user gets logged in on www subdomain's application, I want her to be logged in on world1 subdomain's application as well. The login is realized with ASP.NET Identity 3.

I've set up both applications in Startup.cs as follows:

public void ConfigureServices (IServiceCollection services) {
    // [...]

    services.AddCaching();
    services.AddSession(
        options => {
            options.CookieDomain = ".mydomain.tld";
            options.IdleTimeout = TimeSpan.FromMinutes(30);
        }
    );

    // [...]
}

public void Configure (IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerfactory) {
    // [...]

    app.UseCookieAuthentication(null, IdentityOptions.ExternalCookieAuthenticationScheme);
    app.UseCookieAuthentication(null, IdentityOptions.TwoFactorRememberMeCookieAuthenticationScheme);
    app.UseCookieAuthentication(null, IdentityOptions.TwoFactorUserIdCookieAuthenticationScheme);
    app.UseCookieAuthentication(
        config => {
            config.CookieDomain = ".mydomain.tld";
        },
        IdentityOptions.ApplicationCookieAuthenticationScheme
    );

    // [...]
}

I've also set the machine key of both applications via web.config as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <machineKey decryption="AES"
                decryptionKey="SOME DECRYPTION KEY"
                validation="HMACSHA256"
                validationKey="SOME ENCRYPTION KEY" />
  </system.web>
</configuration>

Logging in on www subdomain works, but accessing sites on world1 subdomain doesn't work, because the authentication cookie is not being recognized as a valid login cookie.

What am I doing wrong?

Answer 1

Apps are automatically isolated from one another. You need to ensure three things;

1. They use the same key store
2. They use the same application ID.
3. They're in the same app pool, or the identity on each pool is identical.

Apps running on the same host, under the same hosting mechanism will use the same key store. If these are on separate machines you will need to use a key store on a network drive, or other shared place such as azure blob storage.

In order to set an application ID common to both applications you need to configure the data protection stack.

For example,

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection();
    services.ConfigureDataProtection(configure =>
    {
        configure.SetApplicationName("my application");
    });
}

If you need to run the applications as different users then you need to change how the keys are protected to either use machine level DPAPI or an X509 certificate.

You don't need a machine key entry in your web.config, machine key is no longer users.