3

We have multiple Asp.Net MVC application's with Single Sign On where we pass encrypted string using FormsAuthentication.Encrypt() method and pass it as a query string and decrypt the same string using FormsAuthentication.Decrypt().

Since both sites were developed in Asp.Net MVC we are able to use Forms Authentication and able to decrypt the string.

Now we are developing a new project in Asp.Net Core where we pass a encrypted string as query string from Asp.Net MVC and have to decrypt in Asp.Net Core web application.

Is there any alternative to decrypt the string in Asp.Net Core

Note: We are not using Asp.Net Identity

//Encryption
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "Name", DateTime.Now, DateTime.Now.AddMinutes(60), true, "DataToEncrypt");

string encrypted = FormsAuthentication.Encrypt(ticket);
Response.Redirect("siteUrl?CookieName="+encrypted );

//Decryption
HttpCookie authCookie = Request.Cookies["CookieName"];

var formsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value);
string _userData = formsAuthenticationTicket.UserData;
Improve this question

2 Answers 2

Reset to default
3

No, what you were doing before depended on both applications sharing the same machine key, so that they both encrypt/decrypt in the same way. ASP.NET Core does not support the concept of machine keys and does not use them for encryption. Instead, it uses data protection providers. As such there is no possible way to decrypt a value in ASP.NET Core that was encrypted in an ASP.NET app based on machine key. Full stop.

That said, the data protection provider concept used in ASP.NET Core can be used in ASP.NET, but that will obviously require you to change your current design to utilize data protection provider to encrypt/decrypt instead of your current methodology. Then, assuming that the provider is configured the same across all the apps, then you'll be able to decrypt in ASP.NET Core. Namely that requires that the keyring used by the data protection provider is in a shared location that all the apps can access, and that all the apps are configured to use the same application name.

Please refer to the documentation for how to set this up. The documentation is geared towards both cookie sharing and auth, but what this is really about it shared encryption schemes, so setting up data protection bits mentioned in the docs will be enough.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

Yes this can be done without altering anything in your legacy app using this: https://github.com/julian-maughan/FormsAuthDecryptor

However I am still looking for how to encrypt ticket back to renew sliding expiration.

// get auth cookie value set by web forms authentication
var authCookieValue = context.Request.Cookies[_authCookieName];

// use special library to decript cookie value since .Net core has no built in means to do this
// note that _encryptionKey, _validationKey, and ValidationAlgorithm type must match with that from legacy web.config
var decryptor = new Decryptor(_encryptionKey, _validationKey, ValidationAlgorithm.HmacSha256);
var ticket = decryptor.Decrypt(authCookieValue);

// now that ticket is in the clear we can create a .Net core identity from it
var identity = new ClaimsIdentity(new[] {
  new Claim(ClaimTypes.Name, ticket.Name),
  new Claim(ClaimTypes.Role, "YourRole")
}, "CustomAuthenticationType");
context.User = new ClaimsPrincipal(identity);
Improve this answer

2 Comments

Is this a link to a solution (but without summarising the solution here) and then a request for help with your own problem? Please note that this would not be considered an answer on StackOverflow. For the solution please add a summary of how the solution is done (not only what it achieves) and name the author of the linked content. The part where you ask for help with your search please move into a separate post, which you create by using the "Ask Question" button instead of the "Post Your Answer" button. Both is necessary, otherwise your post is probably not perceived as an answer.
If anyone wants a better solution, here is a better library that does the work: github.com/dazinator/AspNetCore.LegacyAuthCookieCompat

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.