Sharing Authentication Cookies between ASP.NET 4.8 (ABP 4.19) and .NET 6 (ABP 7.3)
See original GitHub issueHello everyone, I came here to seek some help.
Context
We have two Web applications, let’s call them Project A and B.
Both run on .NET Framework 4.8 with ABP 4.19.
They are sharing the authentication cookie enabling a kind of SSO and this works pretty well.
Now we are migrating Project B to .NET 6 with ABP 7.3 and we are not able to share the authentication cookie anymore.
What we did
We followed the microsoft documentation and this related GitHub issue.
Steps done on Project A (.NET Framework - ABP 4.19)
-
We added a reference to
Microsoft.Owin.Security.Interop
-
We modified the call to
UseCookieAuthentication
as followed:
According to the documentation, the
CookieName
andAuthenticationType/AuthenticationScheme
in both applications must be identical. Also, it is stated that theAuthenticationType/AuthenticationScheme
should be set toIdentity.Application
. Finally, the applications must use thesame cookie format
.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Identity.Application",
CookieName = "SharedCookie",
LoginPath = new PathString("/Account/Login"),
LogoutPath = new PathString("/Account/Logout"),
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(120),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity =
SecurityStampValidator
.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) =>
manager.CreateIdentityAsync(user, "Identity.Application"),
id => int.Parse(id.GetUserId())
},
TicketDataFormat = new AspNetTicketDataFormat(
new DataProtectorShim(
DataProtectionProvider.Create(new DirectoryInfo("C:\\KeyDirectory"),
builder => { builder.SetApplicationName("SharedCookieApp"); })
.CreateProtector(
"Microsoft.AspNetCore.Authentication.Cookies." +
"CookieAuthenticationMiddleware",
"Identity.Application",
"v2"))),
CookieManager = new ChunkingCookieManager()
});
We also modified the AccountController.SignInAsync
method where we are generating a user identity as followed:
// The authenticationType must match the one defined in
// CookieAuthenticationOptions.AuthenticationType
identity = await _userManager.CreateIdentityAsync(user, "Identity.Application");
Result
The application (Project A) runs but we are not able to log in. We are always redirected to the login page because the AbpSession.UserId is null.
Steps done on Project B (.NET 6 - ABP 7.3)
We modified the Startup as followed:
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo("C:\\KeyDirectory"))
.SetApplicationName("SharedCookieApp");
services.ConfigureApplicationCookie(options =>
{
options.Cookie.Name = "SharedCookie";
options.ExpireTimeSpan = SettingsHelper.InactivityTimeOut;
options.Cookie.HttpOnly = true;
options.LoginPath = new PathString("/Account/Login");
options.LogoutPath = new PathString("/Account/Logout");
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
...
}
Result
The application (Project B) runs and we are able to log in. A cookie is generated and stored in the browser with the correct name (SharedCookie).
Question
I think we are on the right track and just need a little push to make it work.
What do you think we are missing?
Also, why when using Identity.Application
as AuthenticationType/AuthenticationScheme
on Project A the AbpSession.UserId is not set?
Thanks in advance for your help.
Thibault
Issue Analytics
- State:
- Created a year ago
- Comments:12 (4 by maintainers)
Top GitHub Comments
OK, so as a temporary workaround (until we migrate project B to AspNet Core) I renamed the anti-forgery cookie and unregistered the
AbpAutoValidateAntiforgeryTokenAttribute
. I also created an identity without usingUserManager.CreateIdentityAsync
method in order to be able to set the correctAuthenticationScheme
.Thank you for your time @ismcagdas
This is generated by ASP.NET Core, see https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.AspNetCore/AspNetCore/Security/AntiForgery/AbpAspNetCoreAntiForgeryManager.cs#L26. So, I assume this is not related to AspNet Boilerplate. I’m not sure but maybe you will not face this problem on production if those two apps are going to use different URLs in production.