0

I have a ASP.NET MVC5 web app that uses Identity Framework 2.0 for user administration. On the authenticated side of our app, the users fill out a series of forms, and then are sent through a Docusign in-session powerform. (Docusign Embedded Signing, powerform, url) When the users are finished signing I have set-up callback url's for successful signature and declined to sign events. The successful signature callback is located in the area of my app that requires users to be authenticated, once they get redirected to my site though they are logged out, although they were logged in before they left. I have persistent logins set to true in my login and register action methods, as well as sliding expiration set up on my cookies. Fiddler indicates that when the users are called back from docusign the .AspNet.ApplicationCookie has a different value than before they left.

This only occurs the FIRST time the users are sent to docusign. If a user repeats the process for a second time they are already logged into my site when they get redirected by docusign and the cookie is unaltered.

I'll be closely monitoring this thread, if you have any questions or need clarification or code examples I will gladly provide.

ekad
  • 14,436
  • 26
  • 44
  • 46
Jake Garrison
  • 403
  • 4
  • 10
  • 1
    "Fiddler indicates that cookie has a different value" sounds like a problem with your site and docusign has nothing to do. Cookies are stored locally in the browser at the client side. Another domain has no access to your cookies. If I were you I would once again use Fiddler to inspect request and responses with regards to the `Set-Cookie` header that actually sets the value. It is unlikely that the browser just alters the value, I would rather believe you somehow set it more than once somewhere somehow. – Wiktor Zychla Mar 06 '15 at 22:48

1 Answers1

1

Thank You Wiktor Zychla for pointing out cross-site scripting rules regarding domains and cookies.

The issue was with 30x redirects and set-cookie. Safari has a bug - documented here and SO has questions regarding it here

I was having Docusign redirect back into an authenticated area of my site, without the cookies the users were not authenticated therefor they were prompted to login. This did not occur any time there-after because the cookie was already set in place.

My solution was to redirect from external to a public landing page, which then redirected them to the intended authorized page. (since the cookies were set on the public page, they get passed to the authorized page, and the persisted login succeeds)

I also got tripped up with cookies and domains (I was redirecting to www.mysite.com instead of mysite.com)

Community
  • 1
  • 1
Jake Garrison
  • 403
  • 4
  • 10