I have a .NET 2.0 web application that acts as an authentication stage for an older .NET 1.1 web application. Thus, the user logs in through the application 2.2, and then is redirected to the application 1.1 to make his business. I used the technique described by Scott Guthrie , with the corresponding machine keys in the local web.config files, so that the auth ticket is readable by both applications. This technique worked for me on five occasions over the course of several years.
Still.
Since this morning, four of our paired applications, configured as described above, have stopped working in production: we are returning after a (apparently) successful authentication attempt. During the login attempt, I return back to the login page. I checked the event logs and IIS logs and did not find anything. We can see that the auth cookie is set in our browsers. We tried several browsers (IE and Chrome). Over the weekend, I know that more than a dozen patches were installed on the web server, one of which added Framework 4.0, but I have no way to find out if any of these fixes caused the problem. Interestingly, before Christmas, I noticed the same behavior in my dev block. Since then, none of the four paired applications has been redeployed, so do not think that this is a deployment problem that caused it to spread to production.
There is one pair of applications that still works, and we compare the code and the configuration to see what happens, but so far we have not found anything (otherwise I would not have written this post!)
UPDATE I found out what this lone pair of applications does: it handled authorization through code. Therefore, I developed a workaround for my sick applications:
ORIGINAL:
<authorization> <allow deny="?" /> </authorization>
Temporary solution:
<authorization> <allow users="*" /> </authorization>
Then I added the code to my ASPX homepage to check the cookie:
if (Request.Cookies.Get(FormsAuthentication.FormsCookieName) == null) Response.Redirect(System.Configuration.ConfigurationSettings.AppSettings["MembershipLoginURL"],true);
My code seems to fulfill the role that ASP.NET used to do, namely checking if the user is allowed. So - I have a workaround, but the secret remains.
Does anyone know if a patch from Microsoft was released in the last four months (our server was just updated with fixes for four months), which disables the ability of ASP.NET to authenticate / decrypt cookies between web applications on different versions of .NET ?