How to Share Authentication Cookies Between .NET Framework and .NET Core in Azure App Service Slots?

Kirankumar Bharsadiya 60 Reputation points
2024-11-29T14:59:40.7033333+00:00

I am currently working on an Azure App Service named demoapp that has two slots:

Production Slot: Running a .NET Framework 4.7.2 application using OWIN middleware for cookie-based authentication.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    CookieHttpOnly = true,
    CookieSecure = CookieSecureOption.Always,
    ExpireTimeSpan = TimeSpan.FromMinutes(cookiesExpirationTimeout),
    SlidingExpiration = true,
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account. 
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

UAT Slot: Running a .NET 8 application using ASP.NET Core authentication.

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Cookie.Name = ".AspNet.ApplicationCookie";
        options.LoginPath = new PathString("/Account/Login");
        options.Cookie.HttpOnly = true;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.ExpireTimeSpan = TimeSpan.FromMinutes(Configuration.GetValue<int>("CookiesExpirationTimeout").ToDbInt());
        options.SlidingExpiration = true;
        options.Events = new CookieAuthenticationEvents()
        {
            OnValidatePrincipal = (context) => PrincipalValidator.ValidatePrincipal(context)
        };
    });

We are using percentage traffic routing to direct some traffic from the production slot to the UAT slot. This results in the x-ms-routing-name cookie being set to identify the slot. The issue arises when this cookie expires and is reset. If a user is browsing the production site and the x-ms-routing-name cookie resets to the UAT slot, they encounter an unauthorized error because the authentication cookie was set for the .NET Framework application and is now being validated by the .NET 8 application.

How can I share the authentication cookies between both applications to prevent these unauthorized errors? Has anyone else dealt with a similar scenario or have any best practices to share?

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,988 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,686 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,056 questions
0 comments No comments
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 68,311 Reputation points
    2024-11-29T17:08:30.2766667+00:00

    See this article:

    https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-9.0

    one of the main requirements is to configure the owin and asp.net net 8 data protection providers use the same encryption keys.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.