Variable cookie path with ASP.NET identifier

Question

Variable cookie path with ASP.NET identifier

We have ported the MVC multi-user application from the ASP.NET Membership Provider to Identity ASP.NET.

This is my Startup.Auth.cs (simplified):

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity =
                    SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, Identity, int>(
                        TimeSpan.FromMinutes(30),
                        (manager, user) =>
                            manager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie),
                        clIdentity => clIdentity.GetUserId<int>())
            }
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}

In our multitasking application, each tenant has his own "slug" (for example, http://example.com/tenant1/ and http://example.com/tenant2/ )

However, cookies are currently stored in the root. This causes security problems, as users from tenant1 automatically register on the website from tenant2.

How can we make the CookiePath variable (in CookieAuthenticationOptions) so that it changes depending on the tenant?

+4

cookies asp.net-identity owin

Samueldebruyn Apr 08 '15 at 14:50

3

SamuelDebruyn, , SignIn , AuthenticationProperties. , , , gist, :

// method inside web api controller
private void SignIn(string name, string cookiePath)
{
    var claims = new[] { new Claim(ClaimTypes.Name, name) };
    var identity = new ClaimsIdentity(claims, "ApplicationCookie");

    var options = new AuthenticationProperties();
    options.Dictionary["CustomCookiePath"] = cookiePath;

    var authManager = Request.GetOwinContext().Authentication;
    authManager.SignIn(options, identity);
}

// Startup.cs
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    Provider = new CustomCookieProvider()
});

// custom provider
public class CustomCookieProvider : CookieAuthenticationProvider
{
    public override void ResponseSignIn(CookieResponseSignInContext context)
    {
        context.CookieOptions.Path = context.Properties.Dictionary["CustomCookiePath"];
        base.ResponseSignIn(context);
    }
}

+1

Natan 23 . '15 17:42

You can use a custom one ICookieManagerto dynamically return the cookie value CookieAuthenticationProviderdepending on what is in the request, for this you will still support CookiePath as "/", and then leave it until ICookieManagerto return (or write) a cookie, but you want to. CookieManageris an option on CookieAuthenticationOptions. I wrote about this here: http://shazwazza.com/post/owin-cookie-authentication-with-variable-cookie-paths/

0

Shazwazza Feb 17 '17 at 4:19

source share

SamuelDebruyn · Accepted Answer · 2015-04-09T18:17:44+0000

dampee.

CookiePath CookieAuthenticationOptions : . ( ) CookieAuthenticationProvider, ResponseSignIn ResponseSignOut. , , CookiePath. , CookiePath. , .

, , CookieAuthenticationProvider CookieAuthenticationOptions , .

ApplicationCookie. ExternalSignInCookie , .

Variable cookie path with ASP.NET identifier

More articles: