6

I've got several applications hosted on the same IIS (different context roots), that are all protected using the Microsoft.ASPNet.Identity 2.1 NuGet packages. At the moment however, when I log in to one of the applications, the next visit to any of the other applications prompts me to log in again. I can't be logged in to more than just one of the applications at once.

I'm guessing that they are all using the same cookie to store the login token, so when you log in on one app, it resets the cookie which becomes invalid for requests to the other applications.

What are my options for resolving this? I don't mind having to log in to each app individually, so can each app be configured to use a different cookie?

Alternatively, each app does in fact share the same User table in the DB, so it might be possible to configure it so that when you log in to one of the applications, the others also become logged in.

Improve this question
6
  • When you say WebAPI identity, do you mean ASP.NET Identity? Commented Jun 23, 2015 at 9:47
  • Sorry yes, the Microsoft.AspNet.Identity Nuget packages. I don't know why I thought it was called WebApi Identity. Thanks for correcting me Commented Jun 23, 2015 at 9:49
  • Okey dokes. Sorry, just making sure :) Commented Jun 23, 2015 at 9:49
  • I've looked here and you can change the cookie name here tech.trailmax.info/2014/07/… I wonder if that would do the trick if you change it in each app? Commented Jun 23, 2015 at 9:52
  • Yep, that's done it - thanks! Was obviously not using the right google search string (searching for WebApi identity didn't help!) If you want to create an answer I'll mark it as correct, you got the answer first... Commented Jun 23, 2015 at 10:00

3 Answers 3

Reset to default
8

Have a different cookie name for each app:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName = "CookieNameHere",
});

As shown on this page http://tech.trailmax.info/2014/07/rename-authentication-cookie-name-of-asp-net-identity/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

Yes, this is because on 'localhost' you are sharing the same cookie. This will not happen on production, because cookies are domain only. (unless, of course, all applications are deployed to same domain).

This is kinda annoying on localhost but easy to solve. Just change the name of the cookie for each application.

This varies from identity version to version but something like this is what you are looking for :

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName = "MyApp1", // <-- add this, with different names for each app
    // ...
});

normally found on Startup.Auth.cs or Startup.cs file.

As of using the same cookie on all applications (if they share subdomain.domain) you need to get MachineKey (validationKey, and decryptionKey) AND same cookie name on all your applications.

something like this on web.config:

<machineKey 
  validationKey="..." <-- some valid validation key 
  decryptionKey="..." <-- some valid decryption key
  validation="SHA1"
  decryption="AES"/>
Improve this answer

4 Comments

Thanks Bart - Coulton was a little quicker with the answer so I've marked his as correct, sorry... but I'll certainly check out your addendum about sharing the cookie across all the apps - thanks again
@SimonGreen sure! no need to sorry. Glad you solved it (that is the whole point, nothing else.)
btw, for the single sign on, the most complicated stuff is making it CORS which is not a problem you have. Having the same encrypto/crypto keys so it can be read from all apps and you will get single sign on for free. note that this is only because you are on same subdomain/domain.
@BartCalixto I'm trying to share credentials stored in a DB across two different web applications, but I'm able to sign only in one of them, on the other one it seems like the password are hashed differently and therefore they never match, do you have a clue on how to solve it?
2

I think Single Sign-On could be your solution. Search for it on Google.

For your start up, you can refer couple of links below:

Single Sign-On Asp.Net

Claim base Single Sign-on for Web and Azure

Single Sign-on for existing MVC App

Hope this is what you are looking for and will resolve your problem.

Improve this answer

1 Comment

+1 Definitely interesting to see the single-sign-on articles, I hadn't seen how it was implemented before

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.