DEV Community: Rodrigo Ipaves de Campos Pinto The latest articles on DEV Community by Rodrigo Ipaves de Campos Pinto (@roicp). https://dev.to/roicp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F518983%2F2b2c8231-f2b2-46c0-a8ad-87464b47e8c0.jpeg DEV Community: Rodrigo Ipaves de Campos Pinto https://dev.to/roicp en Share authentication cookies between ASP.NET 4.x and ASP.NET Core Rodrigo Ipaves de Campos Pinto Mon, 17 Feb 2025 00:53:49 +0000 https://dev.to/roicp/share-authentication-cookies-between-aspnet-4x-and-aspnet-core-47gj https://dev.to/roicp/share-authentication-cookies-between-aspnet-4x-and-aspnet-core-47gj <p>I've been working with ASP.NET 4.x and ASP.NET Core for a while, and I've always noticed some unusual differences between them.</p> <p>The migration process from ASP.NET 4.x to ASP.NET Core can be challenging, depending on how the source code is designed or organized, the size of the application, and the packages used.</p> <p>I'm going to present a technique for implementing a side-by-side migration process that ensures both applications continue to run.</p> <p>Let's begin with a simple ASP.NET MVC 4.8 application configured for forms authentication.</p> <p>Normally, the authentication cookie is created by calling FormsAuthentication.SetAuthCookie(username, rememberMe); after a successful login, and it is destroyed by calling FormsAuthentication.SignOut() upon logout. This setup is supported by a small configuration in the web.config file using the authentication tag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;system.web&gt;</span> <span class="nt">&lt;compilation</span> <span class="na">debug=</span><span class="s">"true"</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;httpRuntime</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;authentication</span> <span class="na">mode=</span><span class="s">"Forms"</span><span class="nt">&gt;</span> <span class="nt">&lt;forms</span> <span class="na">loginUrl=</span><span class="s">"~/Account/Login"</span> <span class="na">timeout=</span><span class="s">"2880"</span> <span class="na">requireSSL=</span><span class="s">"true"</span> <span class="na">path=</span><span class="s">"/"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/authentication&gt;</span> <span class="nt">&lt;/system.web&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Mvc4FormAuthentication.Models</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Web.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Web.Security</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">Mvc4FormAuthentication.Controllers</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">AccountController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Login</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="n">ValidateAntiForgeryToken</span><span class="p">]</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Login</span><span class="p">(</span><span class="n">LoginViewModel</span> <span class="n">model</span><span class="p">,</span> <span class="kt">string</span> <span class="n">returnUrl</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(!</span><span class="n">ModelState</span><span class="p">.</span><span class="n">IsValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="n">model</span><span class="p">);</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">isAuthenticated</span> <span class="p">=</span> <span class="nf">IsAuthenticateUser</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">Password</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">isAuthenticated</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// the AUTH cookie is set here</span> <span class="n">FormsAuthentication</span><span class="p">.</span><span class="nf">SetAuthCookie</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">RememberMe</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Redirect</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrEmpty</span><span class="p">(</span><span class="n">returnUrl</span><span class="p">)</span> <span class="p">?</span> <span class="s">"/"</span> <span class="p">:</span> <span class="n">returnUrl</span><span class="p">);</span> <span class="p">}</span> <span class="n">ModelState</span><span class="p">.</span><span class="nf">AddModelError</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="s">"Invalid username or password."</span><span class="p">);</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="n">model</span><span class="p">);</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="n">ValidateAntiForgeryToken</span><span class="p">]</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Logout</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// the AUTH cookie is removed here</span> <span class="n">FormsAuthentication</span><span class="p">.</span><span class="nf">SignOut</span><span class="p">();</span> <span class="k">return</span> <span class="nf">RedirectToAction</span><span class="p">(</span><span class="s">"Index"</span><span class="p">,</span> <span class="s">"Home"</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="kt">bool</span> <span class="nf">IsAuthenticateUser</span><span class="p">(</span><span class="kt">string</span> <span class="n">username</span><span class="p">,</span> <span class="kt">string</span> <span class="n">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Using browser DevTools, you can locate the ASP.NET authentication cookie generated during the forms authentication login process.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftlolgzgkujsdu6apbf2d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftlolgzgkujsdu6apbf2d.png" alt="ASPXAUTH Cookie" width="800" height="51"></a></p> <p>Easy!</p> <p>However, to share the authentication cookie between the applications, we need to change the way this cookie is generated.</p> <p>First, remove the web.config configuration. Let's go back to the original code without the authentication tag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;system.web&gt;</span> <span class="nt">&lt;compilation</span> <span class="na">debug=</span><span class="s">"true"</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;httpRuntime</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/system.web&gt;</span> </code></pre> </div> <p>Now, let's install some OWIN packages.</p> <ul> <li>Microsoft.Owin.Host.SystemWeb</li> <li>Microsoft.Owin.Security.Interop</li> <li>Microsoft.Owin.Security.Cookies</li> </ul> <p>Next, create a startup class.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.DataProtection</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.Cookies</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.Interop</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Owin</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.IO</span><span class="p">;</span> <span class="p">[</span><span class="n">assembly</span><span class="p">:</span> <span class="nf">OwinStartup</span><span class="p">(</span><span class="k">typeof</span><span class="p">(</span><span class="n">Mvc4OwinAuthentication</span><span class="p">.</span><span class="n">Startup</span><span class="p">))]</span> <span class="k">namespace</span> <span class="nn">Mvc4OwinAuthentication</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">Startup</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">APPLICATION_NAME</span> <span class="p">=</span> <span class="s">"SharedAuthCookieApp"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_NAME</span> <span class="p">=</span> <span class="s">".AspNet.ApplicationAuthCookie"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_PATH</span> <span class="p">=</span> <span class="s">"/"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">SHARING_FOLDER_PATH</span> <span class="p">=</span> <span class="s">@"C:\Sources\Tests\DotNet\SharedAuthCookie"</span><span class="p">;</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configuration</span><span class="p">(</span><span class="n">IAppBuilder</span> <span class="n">app</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">loginPath</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">PathString</span><span class="p">(</span><span class="s">"/Account/Login"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">chunkingCookieManager</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ChunkingCookieManager</span><span class="p">();</span> <span class="kt">var</span> <span class="n">dataProtectionProvider</span> <span class="p">=</span> <span class="n">DataProtectionProvider</span><span class="p">.</span><span class="nf">Create</span><span class="p">(</span> <span class="k">new</span> <span class="nf">DirectoryInfo</span><span class="p">(</span><span class="n">SHARING_FOLDER_PATH</span><span class="p">),</span> <span class="n">builder</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">builder</span><span class="p">.</span><span class="nf">SetApplicationName</span><span class="p">(</span><span class="n">APPLICATION_NAME</span><span class="p">);</span> <span class="p">}</span> <span class="p">).</span><span class="nf">CreateProtector</span><span class="p">(</span> <span class="s">"Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware"</span><span class="p">,</span> <span class="s">"Cookies"</span><span class="p">,</span> <span class="s">"v2"</span> <span class="p">);</span> <span class="kt">var</span> <span class="n">dataProtectorShim</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">DataProtectorShim</span><span class="p">(</span><span class="n">dataProtectionProvider</span><span class="p">);</span> <span class="kt">var</span> <span class="n">aspNetTicketDataFormat</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">AspNetTicketDataFormat</span><span class="p">(</span><span class="n">dataProtectorShim</span><span class="p">);</span> <span class="kt">var</span> <span class="n">cookieAuthenticationOptions</span> <span class="p">=</span> <span class="k">new</span> <span class="n">CookieAuthenticationOptions</span> <span class="p">{</span> <span class="c1">// This should match the AuthenticationType you use when creating the ClaimsIdentity ("Cookies")</span> <span class="n">AuthenticationType</span> <span class="p">=</span> <span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationType</span><span class="p">,</span> <span class="n">CookieHttpOnly</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">CookieManager</span> <span class="p">=</span> <span class="n">chunkingCookieManager</span><span class="p">,</span> <span class="n">CookieName</span> <span class="p">=</span> <span class="n">COOKIE_NAME</span><span class="p">,</span> <span class="n">CookiePath</span> <span class="p">=</span> <span class="n">COOKIE_PATH</span><span class="p">,</span> <span class="n">CookieSameSite</span> <span class="p">=</span> <span class="n">SameSiteMode</span><span class="p">.</span><span class="n">Lax</span><span class="p">,</span> <span class="n">ExpireTimeSpan</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">20</span><span class="p">),</span> <span class="n">LoginPath</span> <span class="p">=</span> <span class="n">loginPath</span><span class="p">,</span> <span class="n">SlidingExpiration</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">TicketDataFormat</span> <span class="p">=</span> <span class="n">aspNetTicketDataFormat</span> <span class="p">};</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseCookieAuthentication</span><span class="p">(</span><span class="n">cookieAuthenticationOptions</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Add a configuration to AntiForgeryToken on Global.asax in the Application_Start.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">protected</span> <span class="k">void</span> <span class="nf">Application_Start</span><span class="p">()</span> <span class="p">{</span> <span class="n">AntiForgeryConfig</span><span class="p">.</span><span class="n">UniqueClaimTypeIdentifier</span> <span class="p">=</span> <span class="n">ClaimTypes</span><span class="p">.</span><span class="n">NameIdentifier</span><span class="p">;</span> <span class="n">AreaRegistration</span><span class="p">.</span><span class="nf">RegisterAllAreas</span><span class="p">();</span> <span class="n">FilterConfig</span><span class="p">.</span><span class="nf">RegisterGlobalFilters</span><span class="p">(</span><span class="n">GlobalFilters</span><span class="p">.</span><span class="n">Filters</span><span class="p">);</span> <span class="n">RouteConfig</span><span class="p">.</span><span class="nf">RegisterRoutes</span><span class="p">(</span><span class="n">RouteTable</span><span class="p">.</span><span class="n">Routes</span><span class="p">);</span> <span class="n">BundleConfig</span><span class="p">.</span><span class="nf">RegisterBundles</span><span class="p">(</span><span class="n">BundleTable</span><span class="p">.</span><span class="n">Bundles</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>And finally, the AccountController should create the auth cookie.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.Owin.Security</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.Cookies</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Mvc4OwinAuthentication.Models</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Collections.Generic</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Security.Claims</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Web</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Web.Mvc</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">Mvc4OwinAuthentication.Controllers</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">AccountController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Login</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="n">ValidateAntiForgeryToken</span><span class="p">]</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Login</span><span class="p">(</span><span class="n">LoginViewModel</span> <span class="n">model</span><span class="p">,</span> <span class="kt">string</span> <span class="n">returnUrl</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(!</span><span class="n">ModelState</span><span class="p">.</span><span class="n">IsValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="n">model</span><span class="p">);</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">user</span> <span class="p">=</span> <span class="nf">AuthenticateUser</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">Password</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="p">!=</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">claims</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Claim</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">NameIdentifier</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">Id</span><span class="p">.</span><span class="nf">ToString</span><span class="p">()),</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">Username</span><span class="p">)</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">claimsIdentity</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ClaimsIdentity</span><span class="p">(</span><span class="n">claims</span><span class="p">,</span> <span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationType</span><span class="p">);</span> <span class="kt">var</span> <span class="n">authManager</span> <span class="p">=</span> <span class="n">HttpContext</span><span class="p">.</span><span class="nf">GetOwinContext</span><span class="p">().</span><span class="n">Authentication</span><span class="p">;</span> <span class="kt">var</span> <span class="n">authProperties</span> <span class="p">=</span> <span class="k">new</span> <span class="n">AuthenticationProperties</span> <span class="p">{</span> <span class="n">IsPersistent</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">RememberMe</span> <span class="p">};</span> <span class="n">authManager</span><span class="p">.</span><span class="nf">SignIn</span><span class="p">(</span><span class="n">authProperties</span><span class="p">,</span> <span class="n">claimsIdentity</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Redirect</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrEmpty</span><span class="p">(</span><span class="n">returnUrl</span><span class="p">)</span> <span class="p">?</span> <span class="s">"/"</span> <span class="p">:</span> <span class="n">returnUrl</span><span class="p">);</span> <span class="p">}</span> <span class="n">ModelState</span><span class="p">.</span><span class="nf">AddModelError</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="s">"Invalid username or password."</span><span class="p">);</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="n">model</span><span class="p">);</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="n">ValidateAntiForgeryToken</span><span class="p">]</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Logout</span><span class="p">()</span> <span class="p">{</span> <span class="n">HttpContext</span><span class="p">.</span><span class="nf">GetOwinContext</span><span class="p">().</span><span class="n">Authentication</span><span class="p">.</span><span class="nf">SignOut</span><span class="p">(</span><span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationType</span><span class="p">);</span> <span class="k">return</span> <span class="nf">RedirectToAction</span><span class="p">(</span><span class="s">"Index"</span><span class="p">,</span> <span class="s">"Home"</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="n">User</span> <span class="nf">AuthenticateUser</span><span class="p">(</span><span class="kt">string</span> <span class="n">username</span><span class="p">,</span> <span class="kt">string</span> <span class="n">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">User</span><span class="p">(</span><span class="n">username</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Here's our new cookie.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbw0b9wv604j35ybu7p0z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbw0b9wv604j35ybu7p0z.png" alt="OWIN ASP AUTH Cookie" width="800" height="73"></a></p> <p>😎</p> <p>Let's dive into the ASP.NET Core 9 part.</p> <p>In Program.cs, configure the authentication to use cookies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Authentication.Cookies</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.DataProtection</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">MvcCoreAuthentication</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">Program</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">APPLICATION_NAME</span> <span class="p">=</span> <span class="s">"SharedAuthCookieApp"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_NAME</span> <span class="p">=</span> <span class="s">".AspNet.ApplicationAuthCookie"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_PATH</span> <span class="p">=</span> <span class="s">"/"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">LOGIN_PATH</span> <span class="p">=</span> <span class="s">"/Account/Login"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">SHARING_FOLDER_PATH</span> <span class="p">=</span> <span class="s">@"C:\Sources\Tests\DotNet\SharedAuthCookie"</span><span class="p">;</span> <span class="k">public</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Add services to the container.</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllersWithViews</span><span class="p">();</span> <span class="err">#</span><span class="n">region</span> <span class="n">Cookie</span> <span class="n">Configuration</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddDataProtection</span><span class="p">()</span> <span class="p">.</span><span class="nf">PersistKeysToFileSystem</span><span class="p">(</span><span class="k">new</span> <span class="nf">DirectoryInfo</span><span class="p">(</span><span class="n">SHARING_FOLDER_PATH</span><span class="p">))</span> <span class="p">.</span><span class="nf">SetApplicationName</span><span class="p">(</span><span class="n">APPLICATION_NAME</span><span class="p">);</span> <span class="kt">var</span> <span class="n">chunkingCookieManager</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ChunkingCookieManager</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">)</span> <span class="p">.</span><span class="nf">AddCookie</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">Cookie</span><span class="p">.</span><span class="n">HttpOnly</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">Cookie</span><span class="p">.</span><span class="n">Name</span> <span class="p">=</span> <span class="n">COOKIE_NAME</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">Cookie</span><span class="p">.</span><span class="n">Path</span> <span class="p">=</span> <span class="n">COOKIE_PATH</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">Cookie</span><span class="p">.</span><span class="n">SameSite</span> <span class="p">=</span> <span class="n">SameSiteMode</span><span class="p">.</span><span class="n">Lax</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">CookieManager</span> <span class="p">=</span> <span class="n">chunkingCookieManager</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">ExpireTimeSpan</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">20</span><span class="p">);</span> <span class="n">options</span><span class="p">.</span><span class="n">LoginPath</span> <span class="p">=</span> <span class="n">LOGIN_PATH</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">SlidingExpiration</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="p">});</span> <span class="err">#</span><span class="n">endregion</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="c1">// Configure the HTTP request pipeline.</span> <span class="k">if</span> <span class="p">(!</span><span class="n">app</span><span class="p">.</span><span class="n">Environment</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseExceptionHandler</span><span class="p">(</span><span class="s">"/Home/Error"</span><span class="p">);</span> <span class="c1">// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHsts</span><span class="p">();</span> <span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHttpsRedirection</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="c1">// Cookie Configuration - Add this line</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapStaticAssets</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapControllerRoute</span><span class="p">(</span> <span class="n">name</span><span class="p">:</span> <span class="s">"default"</span><span class="p">,</span> <span class="n">pattern</span><span class="p">:</span> <span class="s">"{controller=Home}/{action=Index}/{id?}"</span><span class="p">)</span> <span class="p">.</span><span class="nf">WithStaticAssets</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Here's our ASP.NET Core cookie 😉</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcb8tebpun9e5cszuwxjn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcb8tebpun9e5cszuwxjn.png" alt="ASP NET CORE Cookie" width="800" height="68"></a></p> <p>It's time to see if everything worked.</p> <p>Create a new controller with an action decorated with the [Authorize] attribute (do this in both applications).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">PrivateController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Update the _Layout.cshtml file to link the routes in both apps.</p> <p>ASP.NET 4.8<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;ul class="navbar-nav flex-grow-1"&gt; @if (Request.IsAuthenticated) { &lt;li&gt; &lt;a href="#"&gt;Hello, @User.Identity.Name!&lt;/a&gt; &lt;/li&gt; &lt;li&gt; @using (Html.BeginForm("Logout", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-form" })) { @Html.AntiForgeryToken() &lt;button type="submit" class="btn btn-link navbar-btn"&gt;Logout&lt;/button&gt; } &lt;/li&gt; } else { &lt;li&gt; @Html.ActionLink("Login", "Login", "Account", new { area = "" }, new { @class = "nav-link" }) &lt;/li&gt; } &lt;li&gt;@Html.ActionLink("Home", "Index", "Home", new { area = "" }, new { @class = "nav-link" })&lt;/li&gt; &lt;li&gt;@Html.ActionLink("Local Private", "Index", "Private", new { area = "" }, new { @class = "nav-link" })&lt;/li&gt; &lt;li&gt; &lt;a class="nav-link" href="https://localhost:7102/Private"&gt;External Private&lt;/a&gt; &lt;/li&gt; &lt;/ul&gt; </code></pre> </div> <p>ASP.NET Core<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;ul class="navbar-nav flex-grow-1"&gt; @if (User.Identity.IsAuthenticated) { &lt;li class="nav-item"&gt; &lt;span class="navbar-text"&gt;Hello, @User.Identity.Name!&lt;/span&gt; &lt;/li&gt; &lt;li class="nav-item"&gt; &lt;form id="logoutForm" asp-controller="Account" asp-action="Logout" method="post" class="form-inline"&gt; @Html.AntiForgeryToken() &lt;button type="submit" class="nav-link btn btn-link" style="display:inline; padding:0;"&gt;Logout&lt;/button&gt; &lt;/form&gt; &lt;/li&gt; } else { &lt;li class="nav-item"&gt; &lt;a class="nav-link" asp-controller="Account" asp-action="Login"&gt;Login&lt;/a&gt; &lt;/li&gt; } &lt;li class="nav-item"&gt; &lt;a class="nav-link text-dark" asp-area="" asp-controller="Home" asp-action="Index"&gt;Home&lt;/a&gt; &lt;/li&gt; &lt;li class="nav-item"&gt; &lt;a class="nav-link text-dark" asp-area="" asp-controller="Home" asp-action="Privacy"&gt;Privacy&lt;/a&gt; &lt;/li&gt; &lt;li class="nav-item"&gt; &lt;a class="nav-link text-dark" asp-area="" asp-controller="Private" asp-action="Index"&gt;Local Private&lt;/a&gt; &lt;/li&gt; &lt;li&gt; &lt;a class="nav-link text-dark" href="https://localhost:44301/Private"&gt;External Private&lt;/a&gt; &lt;/li&gt; &lt;/ul&gt; </code></pre> </div> <p>We're done! ⭐</p> <h2> Bonus </h2> <p>Of course, sharing the DataProtectionKey via the local file system isn't ideal.</p> <p>There are many remote and distributed alternatives available, but for demonstration purposes, we'll use Valkey/Redis.</p> <p>Now, let's create and run a container with Valkey to store the data protection key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code>docker run -d --rm -p "6379:6379" --name share-valkey valkey/valkey:alpine </code></pre> </div> <p>(it could be any Valkey/Redis server that you have access)</p> <p>Back to ASP.NET 4.8 application</p> <p>Install the package Microsoft.AspNetCore.DataProtection.StackExchangeRedis</p> <p>And change the Startup class<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">Startup</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">APPLICATION_NAME</span> <span class="p">=</span> <span class="s">"SharedAuthCookieApp"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_NAME</span> <span class="p">=</span> <span class="s">".AspNet.ApplicationAuthCookie"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_PATH</span> <span class="p">=</span> <span class="s">"/"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">LOGIN_PATH</span> <span class="p">=</span> <span class="s">"/Account/Login"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">SHARING_FOLDER_PATH</span> <span class="p">=</span> <span class="s">@"C:\Sources\Tests\DotNet\SharedAuthCookie"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">DATA_PROTECTION_KEY_CACHE_NAME</span> <span class="p">=</span> <span class="s">"MY-SHARED-DATA-PROTECTION-KEY"</span><span class="p">;</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configuration</span><span class="p">(</span><span class="n">IAppBuilder</span> <span class="n">app</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">loginPath</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">PathString</span><span class="p">(</span><span class="n">LOGIN_PATH</span><span class="p">);</span> <span class="kt">var</span> <span class="n">chunkingCookieManager</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ChunkingCookieManager</span><span class="p">();</span> <span class="kt">var</span> <span class="n">dataProtectionProvider</span> <span class="p">=</span> <span class="n">DataProtectionProvider</span><span class="p">.</span><span class="nf">Create</span><span class="p">(</span> <span class="k">new</span> <span class="nf">DirectoryInfo</span><span class="p">(</span><span class="n">SHARING_FOLDER_PATH</span><span class="p">),</span> <span class="n">builder</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">builder</span><span class="p">.</span><span class="nf">SetApplicationName</span><span class="p">(</span><span class="n">APPLICATION_NAME</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="nf">PersistKeysToStackExchangeRedis</span><span class="p">(</span><span class="n">ConnectionMultiplexer</span><span class="p">.</span><span class="nf">Connect</span><span class="p">(</span><span class="s">"localhost:6379"</span><span class="p">),</span> <span class="n">DATA_PROTECTION_KEY_CACHE_NAME</span><span class="p">);</span> <span class="p">}</span> <span class="p">).</span><span class="nf">CreateProtector</span><span class="p">(</span> <span class="s">"Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware"</span><span class="p">,</span> <span class="s">"Cookies"</span><span class="p">,</span> <span class="s">"v2"</span> <span class="p">);</span> </code></pre> </div> <p>Don't worry about maintaining the DirectoryInfo because the builder won't generate the DataProtectionKey file anymore.</p> <p>And in the ASP.NET Core application, configure Data Protection to use the same remote key storage.</p> <p>Install the package Microsoft.AspNetCore.DataProtection.StackExchangeRedis</p> <p>Change the Program class<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">Program</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">APPLICATION_NAME</span> <span class="p">=</span> <span class="s">"SharedAuthCookieApp"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_NAME</span> <span class="p">=</span> <span class="s">".AspNet.ApplicationAuthCookie"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">COOKIE_PATH</span> <span class="p">=</span> <span class="s">"/"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">LOGIN_PATH</span> <span class="p">=</span> <span class="s">"/Account/Login"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">DATA_PROTECTION_KEY_CACHE_NAME</span> <span class="p">=</span> <span class="s">"MY-SHARED-DATA-PROTECTION-KEY"</span><span class="p">;</span> <span class="k">public</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Add services to the container.</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllersWithViews</span><span class="p">();</span> <span class="err">#</span><span class="n">region</span> <span class="n">Cookie</span> <span class="n">Configuration</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddDataProtection</span><span class="p">()</span> <span class="p">.</span><span class="nf">PersistKeysToStackExchangeRedis</span><span class="p">(</span><span class="n">ConnectionMultiplexer</span><span class="p">.</span><span class="nf">Connect</span><span class="p">(</span><span class="s">"localhost:6379"</span><span class="p">),</span> <span class="n">DATA_PROTECTION_KEY_CACHE_NAME</span><span class="p">)</span> <span class="p">.</span><span class="nf">SetApplicationName</span><span class="p">(</span><span class="n">APPLICATION_NAME</span><span class="p">);</span> </code></pre> </div> <p>Running the applications, we can see that the DataProtectionKey is being used from Valkey/Redis.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvoy4epj37jj55q45twve.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvoy4epj37jj55q45twve.png" alt="DataProtectionKey on Valkey" width="800" height="210"></a></p> <p>😍</p> <p>That's it!</p> <p>I know there's a lot of code, but in the end, it's pretty straightforward once you understand how to configure the OWIN cookie.</p> <p>Let's review some key points.</p> <p>In ASP.NET 4.8</p> <ul> <li>Install the following packages: <ul> <li>Microsoft.Owin.Host.SystemWeb</li> <li>Microsoft.Owin.Security.Cookies</li> <li>Microsoft.Owin.Security.Interop</li> <li>Microsoft.AspNetCore.DataProtection.StackExchangeRedis</li> </ul> </li> <li>Create the Startup class to configure the cookie settings</li> <li>Update the AccountController to properly create and destroy the authentication cookie</li> <li>Configure AntiForgeryToken in the Application_Start method of Global.asax</li> </ul> <p>In ASP.NET Core</p> <ul> <li>Install the package: <ul> <li>Microsoft.AspNetCore.DataProtection.StackExchangeRedis</li> </ul> </li> <li>Configure Cookie Authentication: <ul> <li>Add cookie authentication to the WebApplicationBuilder.</li> <li>Call <code>app.UseAuthentication()</code> in the pipeline.</li> </ul> </li> <li>Modify how the Account controller creates and destroys the authentication cookie</li> </ul> <p>Important to note</p> <ul> <li>The cookie parameters must be the same in both applications.</li> <li>Do not expose the DataProtectionKey 🔥</li> </ul> <p>The source code can be found <a href="https://github.com/roicp/SharedAuthCookie" rel="noopener noreferrer">here</a></p> <p>Thanks, and keep making awesome code!</p> aspnet dotnet webdev