3

I have two applications in the same domain, like this:

http://example.com/MvcApp
http://example.com/WebFormsApp

As expected, one is ASP.NET MVC 5, the other is Web Forms, both using .NET framework 4.6.1.

The MVC App

In the ASP.NET MVC 5, I'm creating the forms authentication cookie like this:

var ticket = new FormsAuthenticationTicket(1,
    userName,
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    true,
    userData,
    FormsAuthentication.FormsCookiePath
);

var encTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
Response.Cookies.Add(cookie);

My web.config looks like this:

<system.web>
  <authentication mode="Forms">
    <forms name=".ASPXFORMSAUTH" loginUrl="/Account/Login" defaultUrl="default.aspx" protection="All" timeout="60" path="/" requireSSL="false" slidingExpiration="true" enableCrossAppRedirects="false" cookieless="UseDeviceProfile"/>
  </authentication>
  <compilation debug="true" targetFramework="4.6.1" />
  <httpRuntime targetFramework="4.6.1" />
  <machineKey validationKey="D011D22E385D3BC154D5CF0FCC15EF4843A468FB866FD6EEC533E1E30E6F097232DD9698E62DE6F176BA0DAB9E6925089EB25B20C57C659DD52F78DC025E192B" decryptionKey="5A350E0E7EDF07E5633B492B2F1A17ABC4DF5CF55C8922BD021C344ACE66CA42" validation="SHA1" decryption="AES"/>
</system.web>

Web Forms App

In the web forms app, the web.config looks as follow:

<system.web>
  <globalization requestEncoding="utf-8" responseEncoding="utf-8" culture="pt-BR"/>
  <customErrors mode="Off"/>
  <authentication mode="Forms">
    <forms name=".ASPXFORMSAUTH" loginUrl="che-login-win.aspx" defaultUrl="default.aspx" protection="All" timeout="60" path="/" requireSSL="false" slidingExpiration="true" enableCrossAppRedirects="false" cookieless="UseDeviceProfile"/>
  </authentication>
  <identity impersonate="true"/>
  <authorization>
    <deny users="?"/>
  </authorization>
  <machineKey validationKey="D011D22E385D3BC154D5CF0FCC15EF4843A468FB866FD6EEC533E1E30E6F097232DD9698E62DE6F176BA0DAB9E6925089EB25B20C57C659DD52F78DC025E192B" decryptionKey="5A350E0E7EDF07E5633B492B2F1A17ABC4DF5CF55C8922BD021C344ACE66CA42" validation="SHA1" decryption="AES"/>
  <httpRuntime requestValidationMode="2.0" maxRequestLength="8192" executionTimeout="9999"/>
</system.web>

As you may have noticed, both web.configs are using the same name for the forms tag, and they are using the same machine key attributes. They reside inside the same website in my IIS, under the same domain (there are no subdomains).

When I login in the MVC app, if I open the browser console, I can see the Cookie there with the name I set in web.config.

However, if I open the web forms app, it redirects me to the login page, as if I wasn't logged in. When I open the browser console in the web forms app tab, I can see the cookie there as well.

The web forms project has a login page which creates the Forms Ticket and the Cookie likewise the MVC does, and when I login from there, it works.

What am I missing?

Alisson Reinaldo Silva
  • 10,009
  • 5
  • 65
  • 83
  • 1
    After this, I would advise you to change the machine key ;-) – Stefan Mar 28 '18 at 13:56
  • @Stefan thank you for the advice, I used IIS to generate a random machine key just for to make clear I'm using the same (this is not the real machine key). Actually I would like to get rid of explicitly defining a machine key one day, but I need it to allow [SignalR to be used in cluster](https://stackoverflow.com/a/43479633/2263507) as well. For now, I'm testing in a single server (but I'm going to host both apps in several servers afterwards). – Alisson Reinaldo Silva Mar 28 '18 at 14:04
  • You might want to set ` domain` attribute for ` – Chetan Mar 28 '18 at 14:24
  • Possible duplicate of [How can I share .net (C#) based authenticated session between web forms and MVC2 applications?](https://stackoverflow.com/questions/5161562/how-can-i-share-net-c-based-authenticated-session-between-web-forms-and-mvc2) – NightOwl888 Mar 28 '18 at 18:19
  • @NightOwl888 it sounds a duplicate, except that I already did everything they suggested, but it didn't work. – Alisson Reinaldo Silva Mar 28 '18 at 19:18
  • @Alisson - I don't see the `domain` attribute in your example. All of the other similar questions include one. Have you tried that? See [this answer](https://stackoverflow.com/a/28736392) - it apparently also doesn't work with `localhost` as the domain. – NightOwl888 Mar 28 '18 at 19:44
  • @NightOwl888 there should be no need to explicitly define the domain, this is usually used when you have apps in different subdomains, which is not my case. Anyway, I tried defining the domain just to be sure, and unfortunately it didn't work as well :( – Alisson Reinaldo Silva Mar 28 '18 at 19:54

1 Answers1

0

I am currently struggling with this exact same issue. If you got your example to work, please post the solution.

It seems that you have done everything that is required based on the relevant MSDN documentation:

Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation key values and the encryption scheme and validation scheme used for authentication tickets (cookie data) must be the same. MSDN source

As @NightOwl888 mentioned in the comments though, you need to set enableCrossAppRedirects= true in both applications.

https://learn.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.enablecrossappredirects?view=netframework-4.7.2

I found this older SO question helpful. This ended up working for me on our Test servers, but not in Production. There must be additional undocumented relevant settings.

Synctrex
  • 811
  • 1
  • 11
  • 19