Forms Authentication Across Applications has no cookie

StackOverflow https://stackoverflow.com/questions/20386546

Question

I have two applications. The first one is an ASP.NET 4 MVC application that requires authentication. The second is an app that will handle the authentication and set the forms authentication cookie.

On the authorizing app, I call

FormsAuthentication.SetAuthCookie(username, false);

and then I do a simple Response.Redirect back to my MVC application.

In the MVC app, I am making a custom filter that inherits from AuthorizeFilter. On the OnAuthorization method, I was going to decrypt the cookie and grab some additional user data from the authorized user.

My problem is, that 

HttpContext.Current.Request.Cookies

has nothing in it. I have checked out fiddler, and the authentication app correctly sets the cookie, and the MVC application gets the cookie, but when it gets to my filter, there is nothing there.

My web.config has in both applications has the exact same setup:

      <forms
    name=".ASPXFORMSAUTH"
    protection="All"
    path="/"
    timeout="30"
    enableCrossAppRedirects="true"
    domain="localhost"/>

And I have setup both with the same machineKey to be able to decrypt the cookie. The problem is, I am not seeing any cookie in my OnAuthorization method within my MVC filter.

Right now both applications are running on my local IIS instance.

Was it helpful?

Solution

All the weird behavior was due to the httpRuntime between each application being different. My MVC application was set to 4.5 while my application that was setting the cookie was 4.0. Apparently there was a change in how the crypto happens behind the scenes, and therefore when the cookie came through the pipeline, it would get stripped out as ASP.NET couldn't decrypt it.

I came across this when I manually tried to decrypt the cookie by setting the name property different. That way I could access the cookie and try to dectypt, but at that point I would get an exception.

I found the following link led me in the right direction: Sharing a cookie between two websites on the same domain

By setting the compatibility mode setting on the machine key, the cookie came through just fine and could be decrypted.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top