Why do ASP.NET Identity logins from one site get shared with different websites on the same machine?

Question

I create a brand new web application say "WebApplication1" - WebForms with Authentication set to Individual User Account. I don't add a single line of code to the auto generated code template. I run the application and register a user "User1" and log in - works fine.

Now I create another web application "WebApplication2" - same WebForms with Authentication set to Individual User Account. Again no code and I run the application. Now I create another user say "User2" - works fine.

The problem starts when both the applications are running at the same time. If I log in to the first site as "User1" this automatically sets the Context.User.Identity of the second site from "webApplication2" as "User1" when it does not even have "User1" registered and vice verse and if I log out from one site the other gets logged out.

How is it that Context.User.Identity is being shared?

The code is just the same -

public static void SignIn(UserManager manager, ApplicationUser user, bool isPersistent){          IAuthenticationManager authenticationManager = HttpContext.Current.GetOwinContext().Authentication;         authenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);          var identity = manager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);         authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);     } 

I sure am missing some basic knowledge on how ASP.Net Identity works so please help me out.

Thanks in advance.

Answer 1

If your server is configured to use Cookie Authentication the server will return a cookie to the browser containing encrypted and signed claims about the user.

This cookie is by default named: .AspNet.ApplicationCookie.

This cookie will be stored in your browser until it expire (default 14 days and sliding expiry) or you explicitly sign out which deletes the cookie.

If you open another tab or window of the same browser type, after you have logged in, it will also have the same cookie and pass it when sending requests to either of your two web sites.

If both sites are configured to look for the the same cookie name they will both see it and be able to decrypt the authentication cookie as they share the same machine and thus the machine key which is used by the server to encrypt/decrypt and sign the cookie. There's nothing in the cookie telling which site within the same server it belongs to, so the "User1" claim which is stored in your website WebApplication1 will be regarded as authenticated on WebApplication2. The OWIN authentication middleware will not check the database if there is a valid cookie in an incoming request. It will simply use the presented encrypted claims (username, possibly roles and other) in the cookie.

If you set the CookieName differently on in your two webapplications they will not use the same authentication cookie and hence a user authenticated in one site will not be authenticated on the other.

You can set the CookieName in your Startup.Auth.cs like this:

public partial class Startup {     // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864     public void ConfigureAuth(IAppBuilder app)     {         // Enable the application to use a cookie to store information for the signed in user         app.UseCookieAuthentication(new CookieAuthenticationOptions         {             AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,             LoginPath = new PathString("/Account/Login"),             CookieName = "MyCookieName",          });     } }