1

I have got two asp.net applications (.NET 4.5) on the same application pool on the same IIS (7.5). Their authentication tables are from two different databases. My problem is that when I log into one application, I get logged into the other as well (even if the other application doesn't have the same user id).

Clearly, the two applications are sharing the same session. I have updated the Web.config file in each of the applications as follow:

<sessionState
  cookieName="some_unique_name"
  timeout="30">
</sessionState>
<membership defaultProvider="SqlProvider">
  <providers>
    <clear/>
    <add 
      name="SqlProvider" 
      type="System.Web.Security.SqlMembershipProvider" 
      connectionStringName="AuthCorporate"
      applicationName="some_unique_name"/>
  </providers>
</membership>

It may have to do with configuring Identity and Authentication. My ConfigureAuth() in Startup.Auth.cs looks like this:

public void ConfigureAuth(IAppBuilder app)
{
    // Enable the application to use a cookie to store information for the signed in user
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login")
    });
}

What am I missing to make these two applications have their own separate sessions? Thanks in advance.

Nay

Nay
  • 97
  • 1
  • 9
  • Putting 2 different applications in one application pool may not be the best idea. Application pools are there to separate applications requiring different levels security. – Lev Jul 01 '14 at 06:24
  • Ar you using ASP.NET Membership provider? If so you should set the applicationName explicitly (unique for each application) in web.config. It's in the tag... But please provide us more information – Jeroen1984 Jul 01 '14 at 06:34
  • @Jeroen1984 I am using ASP.Net Membership provider. But I haven't specified anything related to tag in my Web.config yet. Could you give some pointer as to how to specify that please? Appreciate it. – Nay Jul 01 '14 at 06:55
  • @Nay If this is a new project, and you are on Framework 4.5, i really suggest not to use Membership Provider. This is the .Net 2.0 way of handling authentication/authorization. The ASP.NET Identity system is replacement for Membership: http://www.asp.net/identity. It also has some features built in like two-factor authentication, 3rd party login providers (google facebook etc), password recovery, email confirmations etc. Things that cost you much time if you implement this with Membership provider. You should seriously consider if you really want to use an obsolete framework – Jeroen1984 Jul 01 '14 at 07:11
  • My apologies @Jeroen1984, I am actually using Identity already. Both of my applications are on MVC 5. – Nay Jul 01 '14 at 07:14
  • @Nay Ok that makes sense. Maybe you should put another tag on your post. With Identity, you can specify a cookie name and cookie domain. Maybe this helps, i will post an example as an answer... – Jeroen1984 Jul 01 '14 at 07:16

2 Answers2

1

In your comments yous sayd that you are using Identity with MVC 5. Probably there is a file called Startup.Auth.cs in your App_Start folder. This contains the second part of the partial (OWIN) Startup class where the authentication is configured.

In this class you should configure cookieauthentication, probably with a unique cookiedomain / cookiename:

   app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                CookieDomain = ".My1stApp.com",
                CookieName = "App1CookieName",
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });
Jeroen1984
  • 1,616
  • 1
  • 19
  • 32
  • Thanks for posting this @Jeroen1984. In fact, I'm still using Identity 1.0, and the solution you have suggested refers to 2.0. I tried to upgrade to 2.0, but something got broken in the project, so have reverted back to 1.0. Isn't there a way to do this in Identity 1.0? – Nay Jul 02 '14 at 00:37
  • @Nay Not really sure how to set this up in 1.0, but here's an article about upgrading from 1.0 to 2.0 (it says 2.0 alpha but it also applies to 2.0 release). It's basicaly just update the nuget packages, and then run a code first migration to apply the changes in your identity 2.0 model to your database. http://blogs.msdn.com/b/webdev/archive/2013/12/20/updating-asp-net-applications-from-asp-net-identity-1-0-to-2-0-0-alpha1.aspx – Jeroen1984 Jul 02 '14 at 06:07
0

It is very simple... give each site its own application pool. Application pool are there to provide a level of separation/security... like avoiding cross over of data in sessions. Best thing is it only takes 10 seconds to fix your problem. I hope this helps.