Forms Authentication Across Applications has no cookie

6
votes

I have two applications. The first one is an ASP.NET 4 MVC application that requires authentication. The second is an app that will handle the authentication and set the forms authentication cookie.

On the authorizing app, I call

FormsAuthentication.SetAuthCookie(username, false);

and then I do a simple Response.Redirect back to my MVC application.

In the MVC app, I am making a custom filter that inherits from AuthorizeFilter. On the OnAuthorization method, I was going to decrypt the cookie and grab some additional user data from the authorized user.

My problem is, that 

HttpContext.Current.Request.Cookies

has nothing in it. I have checked out fiddler, and the authentication app correctly sets the cookie, and the MVC application gets the cookie, but when it gets to my filter, there is nothing there.

My web.config has in both applications has the exact same setup:

      <forms
    name=".ASPXFORMSAUTH"
    protection="All"
    path="/"
    timeout="30"
    enableCrossAppRedirects="true"
    domain="localhost"/>

And I have setup both with the same machineKey to be able to decrypt the cookie. The problem is, I am not seeing any cookie in my OnAuthorization method within my MVC filter.

Right now both applications are running on my local IIS instance.

1
c#asp.netasp.net-mvccookiesforms-authentication
You are talking about a second request not having the cookie in there, correct? - Darren Kopp
After I hit "login" on my authentication app, the button click sets the auth cookie and does a Response.Redirect(MVCUrl) In fiddler I see the cookie, but in the MVC authorization filter I am building, I cannot find anything in the cookie collection - Justin Rassier
So, the cookie definitely won't be there when you call FormsAuthentication.SetCookie... but it should be there on subsequent calls. That said, you should be able to use the existing AuthorizeAttribute when using Forms Authentication - Darren Kopp
Yup, after I call the cookie, I can see in fiddler it is set for subsequent calls. I am making my own filter that inherits from AuthorizeAttribute. I am setting some additional information in the authentication cookie that I want to read in, but in the C# code, the cookie collection is empty. Even though I can see on fiddler that it at least was passed along for the ride. - Justin Rassier
So... it's possible that asp.net is stripping out the cookie after they authorize, but I don't know about this for sure. What I do know is that you won't be able to add additional information to that cookie as it is encrypted and hashed to prevent tampering (i think you can disable this in web.config... but i wouldn't recommend it) - Darren Kopp

1 Answers

9
votes

All the weird behavior was due to the httpRuntime between each application being different. My MVC application was set to 4.5 while my application that was setting the cookie was 4.0. Apparently there was a change in how the crypto happens behind the scenes, and therefore when the cookie came through the pipeline, it would get stripped out as ASP.NET couldn't decrypt it.

I came across this when I manually tried to decrypt the cookie by setting the name property different. That way I could access the cookie and try to dectypt, but at that point I would get an exception.

I found the following link led me in the right direction: Sharing a cookie between two websites on the same domain

By setting the compatibility mode setting on the machine key, the cookie came through just fine and could be decrypted.