2

We have two ASP aplications running at the same server (in different subdomains), the first one is a Web Forms aplications (I'll call that App A) and the new one a APS.NET MVC aplication (App B).

The App B need to login in the App A restrited area, I saw in the web about sharing cookies in differents applications, but, in my tests, the redirect works, however the cookies can't be found.

Here's how I send cookies in App B:

var log = auth.GetLogin(user, password, Request.ServerVariables["REMOTE_ADDR"], 1);

if (!log.isPasswordValid)
    throw new Exception("user or password incorrect!");

FormsAuthentication.SetAuthCookie(user, false);

And, in the App A, here's how I try to get the cookie:

if(HttpContext.Current.Request.Cookies["ASPXAUTH"] != null)
{
    var user = httpContext.Current.Request.Cookies["ASPXAUTH"].Value;
    Session["LoginUser"] = user;
}

the ASPXAUTH key is the authentication in Web.Config

<authentication mode="Forms">
  <forms loginUrl="/Login/Acess" enableCrossAppRedirects="true" path="/" name=".ASPXAUTHX" domain="dev.com.br" protection="All" />
</authentication>

The Wrost part is that I can't even debug the application to check values :(

Can someone help me ?

EDIT 1

I followed those instructions in this page and, sometime I've getting the redirect "correctly", but with no sessions at all.

Here's the code (in the App a here I recive the cookies):

if (HttpContext.Current.Request.IsAuthenticated)
{
    for (int i = 0; i < HttpContext.Current.User.Identity.Name.Length; i++)
    {
        userId += userId  = HttpContext.Current.User.Identity.Name[i].ToString();    
    }       
}

Sometimes the userId doesn't came, and it throws a exception in the Length part (the HttpContext.Current.User.Identity.Name comes null).

My thoughts is that the ApplicationName App A is not the same as the App B, but I tried to change in this page and it didn't work.

Can somebody help me?

Samuel Liew
  • 76,741
  • 107
  • 159
  • 260
Guilherme Golfetto
  • 510
  • 2
  • 5
  • 25
  • if you have two different application , can you persist this information with some persistence layer like database and retrieve it in both the apps . if it is a larger information , you can save it in xml and pass to your database and use it again in next app – ankur Dec 06 '17 at 13:42
  • I wish I Could do that, but, I Can't touch in the App A code, it's a hot database :( – Guilherme Golfetto Dec 06 '17 at 14:06

3 Answers3

2

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation keys and the encryption scheme and validation scheme used for cookie data must be exactly the same. If the settings do not match, cookies cannot be shared. 

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        name=".ASPXFORMSAUTH" 
        protection="All"  
        path="/" 
        timeout="30"
        domain="MyWeb.com"
 />
    </authentication>

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
    <machineKey
      validationKey="[your key here]" 
      decryptionKey="[your key here]" 
      validation="SHA1" />
  </system.web>
</configuration>
Praveen Maurya
  • 296
  • 1
  • 6
  • let me ask you, the `loginUrl="login.aspx"` is the destiny URL or the origin URL ? – Guilherme Golfetto Dec 06 '17 at 15:58
  • 2
    Its the page which provide login authentication in your application.. just make sure that "name, protection, path, validationKey, validation, decryptionKey" are same in your both the project. – Praveen Maurya Dec 07 '17 at 06:17
0

With help of Single Sign On or WCF STS concept, you can share cookies to any number of application.

Single Sign On Concept:

I have created three project. First project(website1) provide ui presentation and all required functionalities. Second project(website2) provide service related functionality. The third project(SSO) handle the authentication related functionality and user management related stuff.

The SSO project provides logged in user related information's(Cookies).

SSO Project Configuration:

Web.config :

<machineKey validationKey="(Machine Key)" decryptionKey="(Decryption Key)" validation="HMACSHA256" decryption="AES"/>
<authentication mode="Forms">
  <forms name="SingleSignOn" loginUrl="http://(sso hosted application)/Account/login" timeout="480" slidingExpiration="true"/>
</authentication>

AccountController.cs

public class AccountController : Controller
{
    [AllowAnonymous]
    [HttpGet]
    public ActionResult Login(string returnUrl)
    {
        if (Request.IsAuthenticated)
        {
            return RedirectToAction("Index", "Home");
        }
        ViewBag.ReturnUrl = returnUrl;
        return View();
    }

    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    [HttpPost]
    public ActionResult Login(string username, string password, string returnUrl)
    {
         FormsAuthentication.SetAuthCookie(username, false);
         if (!string.IsNullOrEmpty(returnUrl))
         {
              return Redirect(returnUrl);
         }
         return RedirectToAction("Index", "Home");
    }
}

Website1:

Web.config

<machineKey validationKey="(Machine Key)" decryptionKey="(Decryption Key)" validation="HMACSHA256" decryption="AES"/>
<authentication mode="Forms">
  <forms name="SingleSignOn" loginUrl="http://(sso hosted application)/Account/login" timeout="480" slidingExpiration="true"/>
</authentication>

Note: Your sso application machine key and decryption key must be same, otherwise it will not work.

HomeController.cs

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    {
        var name = User.Identity.Name;
        return View();
    }
}

While we launching website1 the authorization attribute not allowing to view the home. It will redirect to authentication page, once authentication successfully with help of return url the page gets redirected and return to website1 home page. SSO application shares the authenticated user information with the help of same machine and decryption key configuration.

You can create custom principal and use it in your application.

Antony Samy Joseph
  • 82
  • 1
  • 3
0

I would sugest a different approach to sharing "cookie" values on different websites.

Based on the following facts:

  • You have access to both website source codes
  • Both websites have access to at least one table of the other website, or at least some service that can be called from the other website.
  • All the cookies are being created on the C# code and NOT on the javascript (but this point is really not that critic, because you can still solve it).
  • There is a way to match 1 user of website A and B.

Then I would do the following:

  • As soon as you create/update/delete a cookie on website A, then you need to keep this information in the Database of this website. You need to store it there, and at the same time you save the same value directly on website B DB or call the service that is doing this for you.
  • Then, on action updating the list, is up to you, you only at login action, or somehow you can just make a fast query in every request, or you simply expire the cookie every 5 minutes or so, in order to refresh them, you have flexibility in here.
Dryadwoods
  • 2,875
  • 5
  • 42
  • 72