This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 62%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
I am currently working on an Azure App Service named demoapp that has two slots:
Production Slot: Running a .NET Framework 4.7.2 application using OWIN middleware for cookie-based authentication.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.Always,
ExpireTimeSpan = TimeSpan.FromMinutes(cookiesExpirationTimeout),
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
UAT Slot: Running a .NET 8 application using ASP.NET Core authentication.
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.Cookie.Name = ".AspNet.ApplicationCookie";
options.LoginPath = new PathString("/Account/Login");
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.ExpireTimeSpan = TimeSpan.FromMinutes(Configuration.GetValue<int>("CookiesExpirationTimeout").ToDbInt());
options.SlidingExpiration = true;
options.Events = new CookieAuthenticationEvents()
{
OnValidatePrincipal = (context) => PrincipalValidator.ValidatePrincipal(context)
};
});
We are using percentage traffic routing to direct some traffic from the production slot to the UAT slot. This results in the x-ms-routing-name cookie being set to identify the slot. The issue arises when this cookie expires and is reset. If a user is browsing the production site and the x-ms-routing-name cookie resets to the UAT slot, they encounter an unauthorized error because the authentication cookie was set for the .NET Framework application and is now being validated by the .NET 8 application.
How can I share the authentication cookies between both applications to prevent these unauthorized errors? Has anyone else dealt with a similar scenario or have any best practices to share?
A set of technologies in the .NET Framework for building web applications and XML web services.
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Microsoft Technologies based on the .NET software framework. Miscellaneous topics that do not fit into specific categories.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
See this article:
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-9.0
one of the main requirements is to configure the owin and asp.net net 8 data protection providers use the same encryption keys.