4

We have multiple applications setup in IIS with one application handling the login for all applications. This application is an asp.net 4 site and uses a forms authentication cookie.

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" protection="All" cookieless="UseCookies" path="/" name="CookieName" />
</authentication>

We can successfully use this cookie to login to asp.net 4.5 apps using owin.

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            TicketDataFormat = new SharedTicketDataFormat(),
            CookieName = "CookieName",
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity =
                    SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });


public class SharedTicketDataFormat : ISecureDataFormat<AuthenticationTicket>
{
    public string Protect(AuthenticationTicket data)
    {
        return FormsAuthentication.Encrypt(new FormsAuthenticationTicket(data.Identity.Name, false, -1));
    }
    public AuthenticationTicket Unprotect(string protectedText)
    {
        var ticket = FormsAuthentication.Decrypt(protectedText);
        var identity = new FormsIdentity(ticket);
        return new AuthenticationTicket(identity, new AuthenticationProperties());
    }
}

In asp.net core 2.0 I do not know to to wire up the app to use the shared cookie

In Startup.cs Configure

app.UseAuthentication();

ConfigureServices

services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
        .AddCookie(options =>
        {
            options.Cookie.Name = "CookieName";
        });
Improve this question
3
  • Hi, Did you able to solve this? I am also looking for similar solution. Commented Jan 22, 2018 at 2:28
  • @SamJackSon No unfortunately not, due to time pressures we went back to asp.net 4.6. Commented Jan 22, 2018 at 9:06
  • Thanks for the reply @skyfoot. I attempted using this solution & initial results are good, seems to be working. Playing more with AuthorizationHandler. github.com/dazinator/AspNetCore.LegacyAuthCookieCompat Commented Jan 23, 2018 at 2:05

1 Answer 1

Reset to default
1

My understanding is that you need to change from relying on machine key for your cookie encryption and switch over to use a DataProtectionProvider. This article in the docs spells out everything very clearly:

https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-3.1#share-authentication-cookies-with-aspnet-core-identity

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.