2

I have created two MVC applications that share the same authentication. In the applications I'm using different user roles that can be assigned to every user. When I log in as an administrator, everything works fine, I log in to the first application and the same cookie is used to log in to the second application, no login prompts involved.

When I log in as a user with a different role assigned to them, the login screen pops up again after logging in to the first application and it doesn't go away, even if I log in there also.

The applications are both on the same IIS server. The machine key is configured correctly in IIS server (obviously, since it works if I log in as a user with the administrator role assigned) and here is the code in Startup.Auth.cs for both applications:

1st Application:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName = "DefaultCookie",
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

2nd Application:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName = "DefaultCookie",
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("./Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
        OnApplyRedirect = ApplyRedirect
    },
});

private static void ApplyRedirect(CookieApplyRedirectContext context)
{
    Uri absoluteUri;
    if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
    {
        var path = PathString.FromUriComponent(absoluteUri);
        Trace.WriteLine(path);
        if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
            context.RedirectUri = "/Account/Login" +
                new QueryString(
                    context.Options.ReturnUrlParameter,
                    context.Request.Uri.AbsoluteUri);
    }
    context.Response.Redirect(context.RedirectUri);
}

Does anyone know why this is happening and what I can do to fix it?

Improve this question

1 Answer 1

Reset to default
3

This is an authorization issue, not an authentication issue. If you can share the login at all, i.e. in the case of your admin user, then everything is fine on that front. However, the user's role must be authorized to access the controller/action or they will still be redirected to the login page, even though they are already authenticated. This is intended as an opportunity for them to re-authenticate with an account with the appropriate privileges, since the one they used apparently does not have access.

Long an short, you need to ensure that whatever controller(s)/action(s) you want the user to be able to access allow the role that is assigned to them.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I have the [Authorize] line before the controller, do you mean that I should specifically say which roles are authorized? I thought it worked so that all roles are authorized unless otherwise specified.
You are correct. However, the behavior of your application suggests there is already a role restriction somewhere. Perhaps, a global Authorize attribute has been applied, or maybe specific action(s) have an Authorize attribute with roles applied.
Yes, you were right! I had missed a [Authorize(Roles = "Administrator")] in the first application that prevented any other user roles to open the website. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.