ASP.NET Identity Cookie across subdomains

Question

For forms authentication I used this in web.config (note the domain attribute):

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXAUTH" protection="Validation" path="/" domain=".myserver.dev" />
</authentication>

How is a single sign-on across subdomains configured for the new ASP.NET Identity Framework in Mvc 5?

More Info:

I am creating a multitenant application. Each client will be on a subdomain:

client1.myapp.com

client2.myapp.com

I want a user to be able to sign on to client1.myapp.com and then go to client2.myapp.com and still be signed in. This was easy with forms authentication. I'm trying to figure out how to do it with the new Identity Framework.

EDIT

Here is the code that eventually worked for me:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
  AuthenticationType = "Application",
  LoginPath = "/Account/Login",
  CookieDomain = ".myapp.com"
});

Do you have one application for all subdomains or one application for each subdomain? I have the second option and it doesn't work :( — Ellbar, Jan 01 '14 at 13:29
Can we access `CookieAuthenticationOptions` from other places of the App? I.e. can we change it in `HomeController` to set Session Timeout? — NoWar, Oct 20 '14 at 13:03
I just wanted to tell if you try this on **localhost** it may not work. I spend two hours to indetify why it was not working but I couldn't. And then I just want to try this answer on server and it just worked. — Iren Saltalı, Feb 18 '18 at 13:26

score 34 · Accepted Answer · answered Oct 07 '13 at 16:49

34

In Startup.Auth.cs, you will see something like:

for RC:

app.UseSignInCookies();

This was removed in RTM and replaced with the explicit configuration of the cookie auth:

    app.UseCookieAuthentication(new CookieAuthenticationOptions {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login")
    });

The CookieAuthenticationOptions class has a CookieDomain property which is what you are looking for I believe.

answered Oct 07 '13 at 16:49

Hao Kung

28,040
6
84
93

Which assembly is the DefaultAuthenticationTypes class found? It is not resolving for me. – orourkedd Oct 13 '13 at 21:14
It was added in RTM inside in the Identity.Core, if you are using RC bits, you can set it to "Application". – Hao Kung Oct 14 '13 at 17:06
@Hao Kung, I have two questions : 1) it seems that only if the web sites of different sub domain use the same application pool in IIS, they can single sign on. However, if they use different AppPool, it does not work. 2) This single sign on solution only works for cross SUB-domain, how to deal with the situation of cross domain? thank you very much! – Chance Apr 12 '15 at 18:51
@Chance: Is this the case? And did you find a solution for that? – Mark Redman Sep 17 '15 at 09:50
1

this is great and the user stays logged in, but for me logout no longer works, the user stays logged in. – BlackICE Sep 30 '15 at 23:45

score 16 · Answer 2 · edited May 23 '17 at 11:47

16

This was driving me crazy until I learned that Identity 2.0 still depends on the machine key to encrypt the Authentication cookie. So if you want two instances of the same application on different sub-domains then you need to set the same machine key for each application.

So in summary:

CookieDomain = ".myapp.com"

Set identical machine keys in each application's web config

<system.web>
  <machineKey decryptionKey="EEEB09D446CCFE71B82631D37DEDCC917B8CB01EC315" validationKey="60E4EFE8DD26C4BF8CDAEDCA10716C85820839A207C56C8140DB7E32BE04630AD631EDF25C748D0F539918283C5858AF456DBE208320CFFA69244B4E589" />
</system.web>

This answer led me to setting the values: Does ASP.NET Identity 2 use machinekey to hash the password?

edited May 23 '17 at 11:47

Community

1
1

answered Jul 12 '14 at 01:32

BrandorK

191
1
4

3

I've experienced the same. The session cookie is encrypted using the machine key, so different applications sharing the same cookie must have the same key to be able to decrypt it. – Arjen Jul 24 '14 at 08:35
Anyone happen to know the solution to this in 2019? I have two sites on different subdomains and when you log into one it logs you out of the other, the Identity cookie values don't match and overwrite one another upon login. – RugerSR9 May 09 '19 at 22:14

score 14 · Answer 3 · answered Sep 28 '15 at 10:18

In the Startup.Auth.cs file, add the CookieDomain parameter with your domain:

var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
    AuthenticationType  = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath           = new PathString("/Account/Login"),
    CookieDomain        = ".mydomain.com"
};

Then for all websites you need to set a unique machine key. The easiest way to generate a new one is using IIS:

Find the "Machine Key" option on your site:

Click the "Generate Keys" button to get your keys.

Finally, the above process will add the following to your web.config and you need to ensure that this is copied into each of your sites.

<machineKey
  validationKey="DAD9E2B0F9..."
  decryptionKey="ADD1C39C02..."
  validation="SHA1"
  decryption="AES"
/>

nice visual, it helped – Jeremy Ray Brown Feb 11 '19 at 20:22 — Jeremy Ray Brown, Feb 11 '19 at 20:22

score 12 · Answer 4 · answered Oct 11 '13 at 15:16

12

You need to set up in web.config the same machineKey for ALL websites/applications.

All websites MUST HAVE at least this configuration.

http://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.85).aspx

<system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXAUTH" protection="Validation" path="/" domain=".myserver.dev" />
    </authentication>
    <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" decryption="Auto"/>
  </system.web>

This is an example

answered Oct 11 '13 at 15:16

christiangobo

520
1
7
19

3

The problem is that I'm not using forms authentication. I using the ASP.NET Identity Framework with Session Authentication – orourkedd Oct 13 '13 at 21:14
You are right, this helped. Also, for localhost, I had to go to 127.0.0.1 and use local iis. If you're not using Forms authentication you can leave that part out, but the machineKey is needed for .Net Identity – Jeremy Ray Brown Feb 11 '19 at 20:21

ASP.NET Identity Cookie across subdomains

4 Answers4

Linked

Related