Asp.Net MVC Core 2 - Share authentication cookie

Question

I have multiple application running under localhost and will be eventually deployed under one domain name like https://myapp.com/

Applications will be like:

https://myapp.com/security
https://myapp.com/app1
https://myapp.com/app2

When user access app1, it logs him in using security app internally. I am using cookie authentication. Now when user moves to app2, I want that app2 uses the cookie created by app1 and doesn't ask to authenticate again.

Startup.cs:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            options.AccessDeniedPath = new PathString("/LogUser/RestrictedAccess");
            options.LoginPath = new PathString("/LogUser/Login");
            options.SlidingExpiration = true;
            options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
            options.SessionStore = new MemoryCacheTicketStore();
            options.Cookie.Name = ".AspNet.SharedCookie";
            options.Cookie.Path = "/";
            options.ReturnUrlParameter = "OriginalUrl";
        });
        services.AddSession();
        services.AddMvc();
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseBrowserLink();
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();
        app.UseAuthentication();
        app.UseSession();
        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }

Answer 1

There's two main options:

1. Use a decentralized authentication/authorization platform. Auth0 provides a paid drop-in solution, or you can set up your own with IdentityServer. While setup is potentially more complex, going this route will give you an extensible solution that will serve your needs both now and in the future. Decide you need an API application as well? You're good to go.

2. Literally share the cookie. This is relatively simple to implement, but can quickly become outmoded. If one of those apps eventually needs to get hosted on a different domain, you're borked. Need to authorize an API? Out of luck.

If you decide to go with option #2 (the method requested in your question), there's a couple of things you'll need to take care of:

1. Since this depends on all the apps seeing the same cookie, you'll need to ensure they're all hosted on the same domain or subdomains of that domain (in which case you'll need to make the cookie's domain a wildcard). It looks like that's already the case, but it's worth emphasizing the point. If your setup changes, such that some of the apps can no longer see the cookie, you're done.

2. You need to configure the DataProtectionProvider for each app the same. The auth cookie (as well as session cookies, etc.) are encrypted using DataProtectionProvider. In a sense, this is somewhat similar to the old school method of setting the same machine key in each's app's web.config, except ASP.NET Core doesn't utilize web.config and doesn't use machine key for encryption. Instead, you'll need to ensure that it uses a persisted key storage, that that key storage is accessible and utilized by each app, and that app isolation is disabled. I suggest digging into the docs to make sure you've got a good handle on what you're dealing with and how everything works.