6

I have 2 applications (one .NET and other Angular SPA (web services in .NET) with the same domain name. I need to enable SSO for these 2 applications. Both the web.config have the same machine key and they are enabled for Forms authentication mode.

I log in to the .NET site, I present the angular site in iFrame. When opening the iframe, the API call includes the .ASPXAUTH cookie in the request header but HttpContext.User.Identity.Authenticated is set to false. So it returns a 404 and redirects to the login page for the angular site within the iframe.

The auth cookie is HttpOnly so angular is unable to read it. But since the cookie is set in the request header,API (.NET) method should consider it as authenticated and it is not. Anything I am missing?

Dave
  • 4,038
  • 9
  • 45
  • 57
  • are you using the same auth cookie name for both application? – AMember Dec 16 '15 at 18:49
  • 1
    I would start with checking something like `FormsAuthentication.Decrypt(HttpContext.Request.Cookies[FormsAuthentication.FormsCookieName].Value)` on API request, so that you can ensure the value passed can be decrypted and contains valid user identifier which can be used by API – Lanorkin Dec 30 '16 at 09:46
  • Hi @Lanorkin, I'm not sure if OP is still active, I just had the same problem and saw that the question has not been answered yet, so I added the bounty. I already have an `Application_PostAuthenticateRequest` (check step 5 of [this post](http://stackoverflow.com/questions/1064271/asp-net-mvc-set-custom-iidentity-or-iprincipal/10524305#10524305)) method in my global asax. When I send a request from postman, it says that the request has 1 cookie, whereas when I send it from angular it says 0. I've checked both the angular and postman cookie, and the two values are identical. – nick zoum Dec 30 '16 at 10:31
  • @nickzoum so maybe it's better to start you own question then as anything can be involved here like CORS or http-only/secure for cookies etc – Lanorkin Dec 30 '16 at 10:34

1 Answers1

2

There is some information lacking to be sure to answer this question correctly, but I think this has something to do with the same origin policy. You have to explicitly set the origin of the iFrame in order for your cookie to be not recognized as a cross site request. And therefore will not be applied by ASP.net. Your origin http header has to be set to a valid origin and referrer.

Please also take a look at this question. It explains the same-origin policy briefly.

Community
  • 1
  • 1
Dibran
  • 1,435
  • 16
  • 24