I have two web applications that implement the asp.net membership provider. This is a slightly modified membership provider (this is a custom membership provider), but I think this is not relevant to this post.
The application runs in the same domain, and I want to have cross authentication between them using cookies (they run at app1.mydomain.com/app2.mydomain.com)
I use two applications that implement the same provider:
In both applications, I have the same sections configured in webconfig: authentication, forms, machineKey, membership, roleManager. They both use their own membership and role provider, which is the same for both applications. All of them are in one domain. Authentication in each application works well.
Problem:
- In app 4.5, if you log in, then go to app 3.5 and you are not logged in
- If you are logged in to application 3.5, you are not logged in to application 4.5
- If you log into app 4.0, you logged out of app 3.5 from the app, even if you logged in earlier, and the same thing happens on the other hand.
Ive done tests:
- Ive set up MVC 4.0 / 4.5 by default and Web Forms 4.0 / 4.5 by default, and cross-domain cookies work fine.
- But when the MVC 4.0 / 4.5 default site and the Web Forms 3.5 default site are configured, SSO does not work.
This seems to be a structure incompatibility, or something has changed between frameworks, when it comes to creating or encrypting a cookie, it seems the browser does not send a cookie created by one site to another. On the other hand, it works great for MVC and WebForms with 4.0 / 4.5.
These are the web.config sections of each application:
MVC 4:
<authentication mode="Forms"> <forms name="isep" loginUrl="~/Account/LogIn" timeout="20" protection="All" /> </authentication> <machineKey compatibilityMode="Framework20SP2" validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" />
WebForms 3.5:
<authentication mode="Forms"> <forms name="isep" loginUrl="login2.aspx" timeout="20" protection="All" /> </authentication> <machineKey validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" /> <authorization> <deny users="?"/> </authorization> = "FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation = "SHA1" decryption = "Auto" /> <authentication mode="Forms"> <forms name="isep" loginUrl="login2.aspx" timeout="20" protection="All" /> </authentication> <machineKey validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" /> <authorization> <deny users="?"/> </authorization>
Are there any clues about this?
Thanks!..
Pnp
source share