1

Scenario:

Two separate web projects, running om these domains:

  • account.ilovepandas.com
  • ilovepandas.com

Using ASP.Net Identity, is there a simple way in MVC5 to implement a shared login, so that if the user is logged in to ilovepandas.com and goes to account.ilovepandas.com, he will already be authenticated?

I have done research on the topic, and there are some quite complicated solutions out there, like Thinktecture, OWIN authorization server. My hope is, that since MVC4-5 gave us a big overhaul of Identity, maybe there is an easier solution now, that I have just not been able to find.

It would seem to me to be as simple as letting them share the auth-cookie.

Kjensen
  • 12,447
  • 36
  • 109
  • 171
  • The method outlined in this post works: http://stackoverflow.com/questions/19166599/asp-net-identity-cookie-across-subdomains – Kjensen Jun 07 '15 at 15:42

1 Answers1

2

TL;DR: Assuming both apps share the same top-level domain, you can share the authentication cookie. Set the domain on the cookie, and share any keys necessary to decrypt it between the apps.

Here, I'm going to assume you're using FormsAuthentication.

1) Add the domain attribute to the authentication/forms section:

<authentication mode="Forms">
  <forms loginUrl="~/account/login"
         timeout="2880"
         defaultUrl="~/"
         slidingExpiration="true"
         protection="All"
         domain=".yourdomain.tld"
         name="YOUR_COOKIE_NAME" />

Note the leading period on the domain.

2) In order for both apps to be able to decrypt the cookie, you need to add a machineKey to both, and use the same validation and encryption keys:

<machinekey compatibilitymode="Framework45"
            validation="HMACSHA256"
            validationkey="YOURVALIDATIONKEYHERE"
            decryption="AES"
            decryptionkey="YOURDECRYPTIONKEYHERE" />

You can use the machine key tool in IIS Manager (assuming you have access to the web server), or whatever other tool gets you valid keys. If you need a suggestion, I built an app you can use here, which links to it's Github project if you want to generate your own keys.

For completeness:

Here's the class that will generate valid keys:

public class KeyGenerator
{
    public string GenerateKey(int length, bool useUpperCase = true)
    {
        byte[] buffer = new byte[length];
        var randomNumberGenerator = new RNGCryptoServiceProvider();
        randomNumberGenerator.GetBytes(buffer);

        return ToHexString(buffer, true);
    }

    private static string ToHexString(byte[] bytes, bool useUpperCase = false)
    {
        var hex = string.Concat(bytes.Select(b => b.ToString(useUpperCase ? "X2" : "x2")));

        return hex;
    }
}

And you would use something like this to get your keys:

var generator = new KeyGenerator();

/* 512 bits = 64 bytes (512 / 8) */
string validationKey = generator.GenerateKey(64);

/* 256 bits = 32 bytes (256 / 8) */
string decryptionKey = generator.GenerateKey(32);
Tieson T.
  • 20,774
  • 6
  • 77
  • 92
  • Your answer is much appreciated. However, the new membership system is based on OWIN rather than the ASP.NET Forms Authentication module. So doing modifications to settings in Forms Authentication will not really do anything. Or am I missing something? – Kjensen Jun 07 '15 at 13:31
  • @Kjensen To be honest, I don't know. I haven't had a project that required me to learn how OWIN works yet, since everything we do gets hosted on IIS. – Tieson T. Jun 07 '15 at 18:45
  • I found a solution and marked this question as duplicate. Thanks for your effort. :) – Kjensen Jun 07 '15 at 19:30