Sharing a cookie between two websites on the same domain

asp.net asp.net-mvc cookies cross-platform forms-authentication
RPM1984 picture RPM1984 · Feb 18, 2013 · Viewed 12k times · Source

Here's the situation:

I'm trying to share a cookie (forms authentication) between the websites.

I'm not using Forms Authentication per-se. I'm using the built-in methods (Encrypt, Decrypt, etc), but I'm setting my own custom cookie.

When I set the cookie on one of the websites, the other ones sees the cookie, but can't decrypt it. The error is the generic "Error occurred during a cryptographic operation".

What I've ensured:

  1. The cookie has the domain set to "example.com" (which means subdomains can access. Proof is the other website can "see" the cookie).
  2. Both websites share the same machine key. The web.config for both has the same value for the decryptionKey and validationKey.
  3. The forms authentication ticket version and cookie name are the same across both websites.
  4. The path is set to "/".

I've done this before and it works fine, but in that scenario both applications were sharing the same code base.

In this instance, they are separate applications. This is because i am prototyping a solution where two platform-independent applications on the same top level domain can share a authentication cookie.

Can anyone tell me what i's missing, or provide an alternative solution.

I've read all the related questions, but the answer is usually 2) above.

Answer

RPM1984 picture RPM1984 · Feb 18, 2013

When you create a new ASP.NET 4.5 (e.g ASP.NET MVC 4) application, the following line is added to the web.config:

<httpRuntime targetFramework="4.5" />

This was not present in my other application, possibly because my other application was an ASP.NET 3.5 application which was upgraded to 4.5.

Removing that line in the new ASP.NET web application fixed the problem.

I think this is due to the compatability mode value: http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx

Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".

Not sure i get how removing that line solved the problem. I assume application one has a different compatability mode, since it didn't have that httpRuntime element.

Related questions

How can I set the 'secure' flag for cookies in an ASP.NET MVC website?

I have set the following in web.config: <system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web> When I hit the website using an HTTP connection, it redirects to my login page (specifying the …

Read More
Why is my ASP.NET MVC persistent auth cookie not working?

I'm using ASP.NET MVC 3, with forms authentication (based on modified vanilla account code you get with file->new). When you login, I am setting an auth cookie with FormsAuthentication.SetAuthCookie(userName, true); So this should set a persistent …

Read More
Asp.Net Forms Authentication when using iPhone UIWebView

I am writing a Asp.net MVC 2 application that uses Forms Authentication and currently I am having a problem with our iPhone application in regards to the authentication/login over the web. We have developed a simple iPhone app that …

Read More