Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Sharing Authentication Cookies between ASP.NET 4.8 (ABP 4.19) and .NET 6 (ABP 7.3)

See original GitHub issue

Hello everyone, I came here to seek some help.

Context

We have two Web applications, let’s call them Project A and B.

Both run on .NET Framework 4.8 with ABP 4.19.

They are sharing the authentication cookie enabling a kind of SSO and this works pretty well.

Now we are migrating Project B to .NET 6 with ABP 7.3 and we are not able to share the authentication cookie anymore.

What we did

We followed the microsoft documentation and this related GitHub issue.

Steps done on Project A (.NET Framework - ABP 4.19)

  • We added a reference to Microsoft.Owin.Security.Interop

  • We modified the call to UseCookieAuthentication as followed:

According to the documentation, the CookieName and AuthenticationType/AuthenticationScheme in both applications must be identical. Also, it is stated that the AuthenticationType/AuthenticationScheme should be set to Identity.Application. Finally, the applications must use the same cookie format.

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Identity.Application",
        CookieName = "SharedCookie",
        LoginPath = new PathString("/Account/Login"),
        LogoutPath = new PathString("/Account/Logout"),
        SlidingExpiration = true,
        ExpireTimeSpan = TimeSpan.FromMinutes(120),
        
        Provider = new CookieAuthenticationProvider
        {
            OnValidateIdentity =
                SecurityStampValidator
                    .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) =>
                            manager.CreateIdentityAsync(user, "Identity.Application"),
                                    id => int.Parse(id.GetUserId())
        },
        TicketDataFormat = new AspNetTicketDataFormat(
                    new DataProtectorShim(
                        DataProtectionProvider.Create(new DirectoryInfo("C:\\KeyDirectory"),
                                builder => { builder.SetApplicationName("SharedCookieApp"); })
                            .CreateProtector(
                                "Microsoft.AspNetCore.Authentication.Cookies." +
                                "CookieAuthenticationMiddleware",
                                "Identity.Application",
                                "v2"))),
                CookieManager = new ChunkingCookieManager()
    });

We also modified the AccountController.SignInAsync method where we are generating a user identity as followed:

     // The authenticationType must match the one defined in 
     // CookieAuthenticationOptions.AuthenticationType
     identity = await _userManager.CreateIdentityAsync(user, "Identity.Application");

Result

The application (Project A) runs but we are not able to log in. We are always redirected to the login page because the AbpSession.UserId is null.

Steps done on Project B (.NET 6 - ABP 7.3)

We modified the Startup as followed:

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDataProtection()
            .PersistKeysToFileSystem(new DirectoryInfo("C:\\KeyDirectory"))
            .SetApplicationName("SharedCookieApp");


        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Name = "SharedCookie";
            options.ExpireTimeSpan = SettingsHelper.InactivityTimeOut;
            options.Cookie.HttpOnly = true;
            options.LoginPath = new PathString("/Account/Login");
            options.LogoutPath = new PathString("/Account/Logout");
        });
    }
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        ...
        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();
        ...
    }

Result

The application (Project B) runs and we are able to log in. A cookie is generated and stored in the browser with the correct name (SharedCookie).

Question

I think we are on the right track and just need a little push to make it work. What do you think we are missing? Also, why when using Identity.Application as AuthenticationType/AuthenticationScheme on Project A the AbpSession.UserId is not set?

Thanks in advance for your help.

Thibault

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:12 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
thibnescommented, Oct 20, 2022

OK, so as a temporary workaround (until we migrate project B to AspNet Core) I renamed the anti-forgery cookie and unregistered the AbpAutoValidateAntiforgeryTokenAttribute. I also created an identity without using UserManager.CreateIdentityAsync method in order to be able to set the correct AuthenticationScheme.

Thank you for your time @ismcagdas

0reactions
ismcagdascommented, Oct 20, 2022

This is generated by ASP.NET Core, see https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.AspNetCore/AspNetCore/Security/AntiForgery/AbpAspNetCoreAntiForgeryManager.cs#L26. So, I assume this is not related to AspNet Boilerplate. I’m not sure but maybe you will not face this problem on production if those two apps are going to use different URLs in production.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Share authentication cookies among ASP.NET apps
Learn how to share authentication cookies among ASP.NET 4.x and ASP.NET Core apps.
Read more >
Sharing Authentication Cookies in ASP.NET Upgrade ...
In this video, Mike demonstrates how ASP. NET authentication cookies can be shared between multiple apps and how this technique can be used ......
Read more >
Sharing authentication cookie between ASP.NET 4.8 and ...
I followed the steps described on this Microsoft Document but I haven't been able to get the shared auth to work.
Read more >
Share authentication cookies between ASP.NET 4.x and ...
After many attempts to share authentication cookies without identity between ASP.NET 4.7.1 and .NET 5 hosted under IIS.
Read more >
.NET 6: Share authentication cookies among ASP. ...
Successfully merging a pull request may close this issue. .net 6 update of sharer app cookies /1 dotnet/AspNetCore.Docs.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

The Cache DefaultAbsoluteExpireTime property work only once

Next page

Delete the primary entity and delete the sub entity in cascade. The deleting event of the sub entity cannot be triggered