New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can ASP.NET Membership interoperate with ASP.NET Core? #1501
Comments
Short answer: No. Long answer: Everything has been rewritten and the ASP.NET Membership is hooked in the old pipeline. Since the old pipeline was ripped, then no. Not compatible. |
The old membership system (like the current one) is just a wrapper around some DB calls. I don't see why you can't build something in .NET core to use the data that's in the old format. The passwords are the only real concern and hopefully they're just hashed -- you can still do that validation in .NET Core. |
Thanks for the quick responses folks! My main concern is how to validate that a request has a valid Auth cookie token and be able to decrypt it. This is all part of the FormsAuthentication in ASP.NET and I believe this relies on the machine keys which are not used in ASP.NET Core. Are the inner APIs available in .NET Core so I can do the auth ticket validation/decryption on my own? |
Well, that's not membership -- that's forms auth. So yes, as @MaximRouiller said there's no port of that in ASP.NET core. You'd just change your app to use the cookie authentication middleware. That's the replacement. |
Thanks @brockallen. Changing all our apps to use the cookie auth middleware would be a major effort I doubt I can sell to business. Can you tell me if from a security perspective this is a bad idea: Create an ActionFilter in the new ASP.NET Core app that will get the auth ticket and do an HTTP request to one of our existing apps and get back a response saying is the auth ticket is still valid? Aside from the obvious latency added on each request that requires auth validation, is there a security risk that I am missing? |
Sure, and it'd be more effort to convert the app code themselves to ASP.NET Core.
Sounds like you'd really need to spend time thinking about this. |
Check this issue out aspnet/Security#617 /cc @blowdart |
The answer is yes. Kind of. We have a shim for .NET 4.5.2 which switches the cookie code to use the new format. https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.SystemWeb/1.0.0-rc2-final It's even documented - https://docs.asp.net/en/latest/security/data-protection/compatibility/cookie-sharing.html (although the docs haven't been updated for RC2 year). With that a cookie issued by a 4.5.2 app should be readable by a core app. In addition there's code coming which upgrades the membership database to something both things can understand that, so you can share a database too. @HaoK has a PR in for that. |
Hello Open Source Aspirants, Experienced developers and Architects , //cc @davidfowl @brockallen |
What I would suggest is designing with proper single signon. IdentityServer can be used for that: https://github.com/IdentityServer/IdentityServer4 |
This issue is being closed because it has not been updated in 3 months. We apologize if this causes any inconvenience. We ask that if you are still encountering this issue, please log a new issue with updated information and we will investigate. |
…e/2.2-to-release/2.2 [automated] Merge branch 'maestro/release/2.2' => 'release/2.2'
…1501) * Added support for multiple values (arrays) in default claim action * Added tests to claim action update to support array values
I know this is an old issue, but in case anyone is looking for a way to easily migrate: |
We have a big website composed of several ASP.NET apps. We are using ASP.NET Membership for authentication.
Does ASP.NET Core provides anything out of the box to interoperate with Membership, like being able to decrypt/validate the auth cookie?
The text was updated successfully, but these errors were encountered: