See this article:
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-9.0
one of the main requirements is to configure the owin and asp.net net 8 data protection providers use the same encryption keys.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am currently working on an Azure App Service named demoapp
that has two slots:
Production Slot: Running a .NET Framework 4.7.2 application using OWIN middleware for cookie-based authentication.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.Always,
ExpireTimeSpan = TimeSpan.FromMinutes(cookiesExpirationTimeout),
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
UAT Slot: Running a .NET 8 application using ASP.NET Core authentication.
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.Cookie.Name = ".AspNet.ApplicationCookie";
options.LoginPath = new PathString("/Account/Login");
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.ExpireTimeSpan = TimeSpan.FromMinutes(Configuration.GetValue<int>("CookiesExpirationTimeout").ToDbInt());
options.SlidingExpiration = true;
options.Events = new CookieAuthenticationEvents()
{
OnValidatePrincipal = (context) => PrincipalValidator.ValidatePrincipal(context)
};
});
We are using percentage traffic routing to direct some traffic from the production slot to the UAT slot. This results in the x-ms-routing-name
cookie being set to identify the slot. The issue arises when this cookie expires and is reset. If a user is browsing the production site and the x-ms-routing-name
cookie resets to the UAT slot, they encounter an unauthorized error because the authentication cookie was set for the .NET Framework application and is now being validated by the .NET 8 application.
How can I share the authentication cookies between both applications to prevent these unauthorized errors? Has anyone else dealt with a similar scenario or have any best practices to share?
See this article:
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-9.0
one of the main requirements is to configure the owin and asp.net net 8 data protection providers use the same encryption keys.