Forms Authentication SSO - Why does User.Identity.IsAuthenticated == false

StackOverflow https://stackoverflow.com/questions/21166613

  •  28-09-2022
  •  | 
  •  

Question

I'm trying to set up SSO on two separate IIS web sites (with a common domain) using Forms Authentication. I'm using the common approach of setting the auth cookie to the common domain and using matching machine key to enable decryption.

This works with no issues on test sites that I created. However, when trying to implement this in a legacy Web Forms site, I'm running into something that I don't understand.

When I log into one site, the test code on the second site has the following results:

var cookie = FormsAuthentication.GetAuthCookie("username", false); // works
var ft = FormsAuthentication.Decrypt(cookie.Value);       // returns correct info
var isAuthentication = User.Identity.IsAuthenticated;              // false

As an added bonus, whenever I sign in one site the other gets signed out (happens both ways.)

There must be something fundamental that I'm missing here.

Why is User.Identity.IsAuthenticated set to false, even though the FormsAuthentication ticket seems to be decrypting with no issues?

UPDATE: as pointed out below - FormsAuthentication.GetAuthCookie is not a valid way to obtain the existing auth cookie. Which brings me to this: I can see the top domain cookie in the browser, but it doesn't show up in the request. I suspect this is where the problem is occuring.

Solution: Both sites were not targeting the same version of .Net Framework as specified by the web.config:

<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />

Updating both sites to target the same framework fixed the problem.

Was it helpful?

Solution

The GetAuthCookie creates a new cookie:

http://msdn.microsoft.com/en-us/library/vstudio/3fay1e4k(v=vs.100).aspx

Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so that an application can have more control over how the cookie is issued.

No wonder it works, it doesn't look into the existing cookie.

My theory is that you have your new sites on an x64 machine and the legacy website sits in an x86. The encryption differs in such scenario even if keys are the same. Another possible reason is a different version of .net as the encryption algorithm has been changed in .net 4.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top