Clever Geek Handbook

Sharing authentication cookies in ASP.NET 5 across subdomains

I have two ASP.NET 5 MVC 6 applications.

One works for www.mydomain.tld

and one for world1.mydomain.tld

.

If a user logs into the www subdomain application, I want it to be registered with the world1 subdomain application as well. Logging in is done using ASP.NET Identity 3.

I have installed both apps in the Startup.cs

following way:

public void ConfigureServices (IServiceCollection services) {
    // [...]

    services.AddCaching();
    services.AddSession(
        options => {
            options.CookieDomain = ".mydomain.tld";
            options.IdleTimeout = TimeSpan.FromMinutes(30);
        }
    );

    // [...]
}

public void Configure (IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerfactory) {
    // [...]

    app.UseCookieAuthentication(null, IdentityOptions.ExternalCookieAuthenticationScheme);
    app.UseCookieAuthentication(null, IdentityOptions.TwoFactorRememberMeCookieAuthenticationScheme);
    app.UseCookieAuthentication(null, IdentityOptions.TwoFactorUserIdCookieAuthenticationScheme);
    app.UseCookieAuthentication(
        config => {
            config.CookieDomain = ".mydomain.tld";
        },
        IdentityOptions.ApplicationCookieAuthenticationScheme
    );

    // [...]
}

I also set the machine key of both applications via the web.config

following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <machineKey decryption="AES"
                decryptionKey="SOME DECRYPTION KEY"
                validation="HMACSHA256"
                validationKey="SOME ENCRYPTION KEY" />
  </system.web>
</configuration>

Logging into the www subdomain works, but accessing sites in the world1 subdomain does not work because the authentication cookie is not recognized as a valid login cookie.

What am I doing wrong?

+3


source to share


1 answer


Applications are automatically isolated from each other. You need to provide three things:

  • They use the same key store
  • They use the same app ID.
  • They are in the same application pool, or the identity in each pool is identical.

Apps running on the same host under the same hosting mechanism will use the same key store. If they are on separate machines, you will need to use a key store on a network drive or other shared location such as an azure blob store.

To set the application ID common to both applications, you need to set up a data protection stack.



For example,

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection();
    services.ConfigureDataProtection(configure =>
    {
        configure.SetApplicationName("my application");
    });
}

If you need to run applications as different users, you need to change your key protection method to use DPAPI at the machine level or X509 certificate.

You don't need a machine key entry in your web.config, the machine key is no longer a user.

+5


source






More articles:


All Articles