21
votes

Here's the situation:

I'm trying to share a cookie (forms authentication) between the websites.

I'm not using Forms Authentication per-se. I'm using the built-in methods (Encrypt, Decrypt, etc), but I'm setting my own custom cookie.

When I set the cookie on one of the websites, the other ones sees the cookie, but can't decrypt it. The error is the generic "Error occurred during a cryptographic operation".

What I've ensured:

  1. The cookie has the domain set to "example.com" (which means subdomains can access. Proof is the other website can "see" the cookie).
  2. Both websites share the same machine key. The web.config for both has the same value for the decryptionKey and validationKey.
  3. The forms authentication ticket version and cookie name are the same across both websites.
  4. The path is set to "/".

I've done this before and it works fine, but in that scenario both applications were sharing the same code base.

In this instance, they are separate applications. This is because i am prototyping a solution where two platform-independent applications on the same top level domain can share a authentication cookie.

Can anyone tell me what i's missing, or provide an alternative solution.

I've read all the related questions, but the answer is usually 2) above.

2

2 Answers

40
votes

When you create a new ASP.NET 4.5 (e.g ASP.NET MVC 4) application, the following line is added to the web.config:

<httpRuntime targetFramework="4.5" />

This was not present in my other application, possibly because my other application was an ASP.NET 3.5 application which was upgraded to 4.5.

Removing that line in the new ASP.NET web application fixed the problem.

I think this is due to the compatability mode value: http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx

Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".

Not sure i get how removing that line solved the problem. I assume application one has a different compatability mode, since it didn't have that httpRuntime element.

14
votes

The Best way to handle this is to make machinekey decryption fall back to Framework20SP2

From this article : http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx

Just add that attribute to machinekey in your .net 4.5 application

<machineKey validationKey="" decryptionKey="" validation="SHA1" compatibilityMode="Framework20SP2" />

you won't need to remove targetFramework="4.5" from httpruntime now.