0

I have a DNN site on example.com and an MVC site on subdomain.example.com. I've set up MembershipProvider and a RoleProvider in according to this article: SharePoint-Forms-Based-Authentication-Using-DotNet. Now I want to share auth cookie between two sites. I've set up domain keys in both web.config files like domain=".example.com". Fiddler says the same cookie is used when requesting to any of the sites. And there's a following effect: When I log in to one of the sites, I'm being logged off from another. What could I missed?

Below is a part of the web.config of the MVC site:

<machineKey
  validationKey="DEE8F9D31F46D663FA0BCF9A6A9701B0796777C5"
  decryptionKey="E75FBCF55F6BB0B2A352036B965725FD739B2EB21B790659"
  decryption="3DES"
  validation="SHA1" />
<authentication mode="Forms">
  <forms 
    name=".DOTNETNUKE"
    protection="All" 
    timeout="60" 
    cookieless="UseCookies" 
    loginUrl="~/Account/Login" 
    domain=".example.com" 
    path="/" />
</authentication>
<httpCookies httpOnlyCookies="true" requireSSL="false" domain=".example.com" />
<!-- Configure the Sql Membership Provider -->
<membership defaultProvider="SqlMembershipProvider" userIsOnlineTimeWindow="15">
  <providers>
    <clear />
    <add
      name="SqlMembershipProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="DnnSqlServer"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="false"
      minRequiredPasswordLength="7"
      minRequiredNonalphanumericCharacters="0"
      requiresUniqueEmail="false"
      passwordFormat="Hashed"
      applicationName="DotNetNuke" />
  </providers>
</membership>
<!-- Configure the Sql Role Provider -->
<roleManager enabled="true" defaultProvider="SqlRoleProvider">
  <providers>
    <clear/>
    <add
      name="SqlRoleProvider"
      connectionStringName="DnnSqlServer"
      applicationName="DotNetNuke"
      type="System.Web.Security.SqlRoleProvider,System.Web,
            Version=2.0.0.0,Culture=neutral,
            PublicKeyToken=b03f5f7f11d50a3a" />
  </providers>
</roleManager>
niebohr
  • 13
  • 4
  • Finally I've found a solution on stackoverflow pages: [http://stackoverflow.com/a/21087932/4703971](http://stackoverflow.com/a/21087932/4703971) – niebohr Apr 07 '16 at 04:03

1 Answers1

0

When you see this behavior it is typically from the encryption MachineKey values being different between the different applications. When the other application attempts to read the cookie, it cannot decrypt it and then deletes it, allowing you to login.

I would validate those items in the web.config. (They are not too far down from the node.

Mitchel Sellers
  • 62,228
  • 14
  • 110
  • 173
  • Yes, I've already checked this out, because when the machine keys were not the same, an error 'The anti-forgery token could not be decrypted' was occured.I've updated my web.config in the answer. – niebohr Apr 07 '16 at 03:49