All geek questions in one place

Can an ASP.NET 4.0 application on an ASP.NET 2.0 site use the same cookie for forms authentication?

See update at bottom of question

I have an ASP.NET 2.0 web application (say https://mysite.somedomain.com/ ) that uses forms authentication. I want to integrate an ASP.NET 4.0 web application on this site based on https://mysite.somedomain.com/NewApp/ . Forms Auth is working on an external application, but the internal application rejects the cookie.

web.config on an external (ASP.NET 2.0) web application contains:

 <httpCookies requireSSL="true"/> <authentication mode="Forms"> <forms name="MySiteWebAuth" loginUrl="/Login.aspx" protection="All" path="/" timeout="90" requireSSL="true" slidingExpiration="true"/> </authentication> <machineKey (same machine key is in both configs) validation="SHA1" decryption="AES"/> <authorization> <deny users="?"/> <allow users="*" /> </authorization>

web.config on an internal (ASP.NET 4.0) web application contains:

 <authentication mode="Forms"> <forms name="MySiteWebAuth" loginUrl="/Login.aspx" protection="All" path="/" timeout="90" requireSSL="true" slidingExpiration="true" ticketCompatibilityMode="Framework20"/> </authentication> <machineKey (same machine key is in both configs) validation="SHA1" decryption="AES"/>

This is the code in Login.aspx.cs that sets the cookie on successful authentication:

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, ApplicationContext.User.Identity.Name, DateTime.Now, DateTime.Now.AddMinutes(90), false, ApplicationContext.User.Identity.SessionID.ToString() ); HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket) ); cookie.Path = FormsAuthentication.FormsCookiePath; cookie.HttpOnly = true; Response.Cookies.Add(cookie);

If I log into an external web application, go to the page inside the internal web application, it redirects to the login page and writes Forms authentication failed for the request. Reason: The ticket supplied was invalid. Forms authentication failed for the request. Reason: The ticket supplied was invalid. in the event log on the server.

How to get an ASP.NET 2.0 Forms Auth ticket that will be accepted by the ASP.NET 4.0 internal web application?

Refresh . It works under HTTPS IIS 7.5, but not under HTTPS IIS 7.0. Do some more research.

Update 2 . We applied Server 2008 SP2 to the server along with a recent patch for the DoS-DoS collision of DoS, and since then the sharing of cookies has worked.

+6
source share
4 answers

In addition to storing almost all of the above values, you need to set the machineKey element compatibilityMode attribute in the application configuration file 4.0:

 <machineKey compatibilityMode="Framework20SP2" validationKey="THE_KEY" decryptionKey="ANOTHER_KEY" validation="SHA1" />
+4
source

I assume you are reading this: http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx - maybe remove ticketCompatibilityMode from your 4.0 application or at least make sure they are the same.

+1
source

Add this appsetting to both web.config files:

add key = "aspnet: UseLegacyFormsAuthenticationTicketCompatibility" value = "true"

0
source

You need to make sure that both applications have the same encryption key in the web.config files

 <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />

Authentication of forms in all applications

0
source

Source: https://habr.com/ru/post/905878/

More articles:


All Articles