4

I have two web applications that implements a asp.net membership provider. It is a slightly modified membership provider (so it's a custom membership provider) but I think that that is irrelevant for this post.

The application run in the same domain and I want to have cross authentication between them using cookies.(they run in app1.mydomain.com / app2.mydomain.com)

I'm using two applications implementing the same provider:

  • WebForms 3.5
  • MVC 4.5

In both applications I have the same sections configured in the webconfig: authentication, forms, machineKey, membership, roleManager. They both use a custom Membership and role provider, which is the same for both apps. They all reside inside the same domain. Authentication in each application works well.

Problem:

  • In the 4.5 app, if you log in, and then go to the 3.5 app and you don’t get logged in
  • If you log into the 3.5 app, you are not logged into the 4.5 app
  • If you log into the 4.0 app, you are LOGGED out of the 3.5 app even if you were logged in before, and the same on the other way

Tests I’ve done:

  • I’ve set up a default MVC 4.0/4.5 site and a default Web Forms 4.0/4.5 site, and the cross domain cookies works perfect.
  • But when a set up a default MVC 4.0/4.5 site and a default Web Forms 3.5 site, the SSO doesn’t work.

It seems to be a framework incompatibility, or something has change between frameworks when it comes to creating or encrypting the cookie, seems the browser doesn’t send the cookie created by one site to the other. On the other hand it works great for MVC and WebForms with 4.0/4.5.

These are the web.config sections of each of the applications:

MVC 4:

<authentication mode="Forms">
  <forms name="isep" loginUrl="~/Account/LogIn" timeout="20" protection="All" />
</authentication>

<machineKey compatibilityMode="Framework20SP2" validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" />

WebForms 3.5:

<authentication mode="Forms">
  <forms name="isep" loginUrl="login2.aspx" timeout="20" protection="All" />
</authentication>

<machineKey validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" />

<authorization>
  <deny users="?"/>
</authorization>

Any clue about this?

Thanks!..

PnP

PnP
  • 625
  • 1
  • 10
  • 18
  • have you looked into whether the application is using the ***"new Simple Authentication Provider"*** http://stackoverflow.com/questions/12021863/upgrading-to-asp-net-4-5-mvc-4-forms-authentication-fails – Alex Dec 31 '12 at 17:07
  • Hi Xander. Yes, for sure. I have exactly the same provider, as it is a custom provider and I have to carry the code from one place to the other. No doubt about that!.. Thanks! – PnP Dec 31 '12 at 17:13

2 Answers2

4

Try setting the CompatabilityMode of the MachineKey element in the web.config, as detailed in the following answer:

Upgrading to ASP.NET 4.5/MVC 4 forms authentication fails

After update

Set the domain attribute of the authentication\forms element to the following:

<authentication mode="Forms">
  <forms domain=".somedomain.com" name="isep" loginUrl="~/Account/LogIn" timeout="20" protection="All" />
</authentication>

Where somedomain is your primary domain.

Community
  • 1
  • 1
Alex
  • 34,899
  • 5
  • 77
  • 90
  • Hi Xander. Thanks for your answer, it was very helpful. But it is still not working as desired. I just added that to both web.configs and: When I log in on the Webforms application, I can share my cookie with the MVC application, but not vice versa (logging in on the MVC application doens't log the user on the webforms application). Any tip about that? (as I see that you are an expert in this!)... Thanks! – PnP Dec 31 '12 at 17:55
  • Just FYI what I added is: – PnP Dec 31 '12 at 17:56
  • Hi Xander!... Thanks for your help. I updated the question with the corresponding web.config sections. – PnP Jan 02 '13 at 17:59
-1

An additional comment:

Could these web.config parameters have some conflict with the current issue: 

<add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" /> 
<add key="aspnet:UseLegacyEncryption" value="true" /> 
<add key="aspnet:UseLegacyMachineKeyEncryption" value="true" />

Or... could they help solving the issue?

Thanks!..

PnP

PnP
  • 625
  • 1
  • 10
  • 18