All geek questions in one place

Form-based authentication does not work between .Net 2.0 and .Net 4.0 applications

I have several web applications running on Windows Server 2003 with IIS 6.0.

Applications run under Asp.net 2.0.

I recently installed the MVC 3 web application, which is located on it based on asp.net 4. The form ticket is not reconstructed in this new application.

I have the same machineKey parameters in machine.config files of different asp.net versions that were created using this link: http://aspnetresources.com/tools/machineKey

The configuration in the login web application is as follows:

<authentication mode="Forms"> <forms name=".WEBAUTH" loginUrl="login.aspx" protection="None" slidingExpiration="true" enableCrossAppRedirects="false" timeout="43200" path="/" /> </authentication>

And, accordingly, the configuration of the mvc application:

  <authentication mode="Forms"> <forms name=".WEBAUTH" loginUrl="http://path2theloginapp/login.aspx" protection="None" slidingExpiration="true" enableCrossAppRedirects="false" timeout="43200" path="/" /> </authentication> <authorization> <deny users="?" /> <allow users="*" /> </authorization>

The login works, but the mvc application is always redirected to the login page.

Now, if I change the version of the asp.net login web application in the IIS configuration for asp.net 4.0, it works. But then all other applications running on asp.net 2 no longer work.

Has anyone decided to use form-based support in a similar situation?

+6
source share
2 answers

I had to go a long way and open Microsoft support.

As it turned out, there were no relevant security updates from Microsoft Security Bulletin MS11-100:

http://technet.microsoft.com/en-us/security/bulletin/ms11-100 .
Select your operating system and install updates for .Net 2.0 and 4.0.

It updates forms-based authentication without reconfiguring the web applications involved.

+5
source

This is one of the breaking changes in ASP.NET 4.0:

The default Hashing Algorithm is now HMACSHA256

ASP.NET uses encryption and hashing algorithms to secure data such as authentication cookies and browsing status. By default, ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on cookies and view state. Earlier versions of ASP.NET used the older HMACSHA1.

Your applications may be affected if you run mixed ASP.NET 2.0 / ASP.NET 4, where data, such as authentication cookies, must work in versions of the .NET Framework. To configure ASP.NET 4 to use the old HMACSHA1 algorithm, add the following settings in the Web.config file:

<machineKey validation="SHA1" />

+2
source

Source: https://habr.com/ru/post/908526/

More articles:


All Articles