Sharing a cookie between two websites on the same

2019-02-01 08:51发布

Here's the situation:

I'm trying to share a cookie (forms authentication) between the websites.

I'm not using Forms Authentication per-se. I'm using the built-in methods (Encrypt, Decrypt, etc), but I'm setting my own custom cookie.

When I set the cookie on one of the websites, the other ones sees the cookie, but can't decrypt it. The error is the generic "Error occurred during a cryptographic operation".

What I've ensured:

  1. The cookie has the domain set to "example.com" (which means subdomains can access. Proof is the other website can "see" the cookie).
  2. Both websites share the same machine key. The web.config for both has the same value for the decryptionKey and validationKey.
  3. The forms authentication ticket version and cookie name are the same across both websites.
  4. The path is set to "/".

I've done this before and it works fine, but in that scenario both applications were sharing the same code base.

In this instance, they are separate applications. This is because i am prototyping a solution where two platform-independent applications on the same top level domain can share a authentication cookie.

Can anyone tell me what i's missing, or provide an alternative solution.

I've read all the related questions, but the answer is usually 2) above.

2条回答
戒情不戒烟
2楼-- · 2019-02-01 09:01

When you create a new ASP.NET 4.5 (e.g ASP.NET MVC 4) application, the following line is added to the web.config:

<httpRuntime targetFramework="4.5" />

This was not present in my other application, possibly because my other application was an ASP.NET 3.5 application which was upgraded to 4.5.

Removing that line in the new ASP.NET web application fixed the problem.

I think this is due to the compatability mode value: http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx

Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".

Not sure i get how removing that line solved the problem. I assume application one has a different compatability mode, since it didn't have that httpRuntime element.

查看更多
Lonely孤独者°
3楼-- · 2019-02-01 09:23

The Best way to handle this is to make machinekey decryption fall back to Framework20SP2

From this article : http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx

Just add that attribute to machinekey in your .net 4.5 application

<machineKey validationKey="" decryptionKey="" validation="SHA1" compatibilityMode="Framework20SP2" />

you won't need to remove targetFramework="4.5" from httpruntime now.

查看更多
登录 后发表回答