Share authentication cookies between ASP.NET 4.x and ASP.NET Core apps

[marafiq]

After many attempts to share authentication cookies without identity between ASP.NET 4.7.1 and .NET 5 hosted under IIS. Documentation is not clear, and lack key details with reference to configuring data protector for authentication cookie.

.NET Framework docs says that configure CookieAuthenticationOptions by setting TicketDataFormat where data protector has to be configured seen below. Docs should note that .NET 5 should also configure in exactly same way. See below

Note: Make sure purpose & sub purpose strings are same for .NET framework & .NET 5 set on Ticket Data Format.

//.NET Framework config
app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                CookieName = ".AspNet.SharedCookie",
                CookieSameSite = SameSiteMode.Lax,
                SlidingExpiration = true,
                ExpireTimeSpan = TimeSpan.FromMinutes(120),
                LoginPath = PathString.FromUriComponent("login path"),
                LogoutPath = PathString.FromUriComponent("logout path"),
                TicketDataFormat = new AspNetTicketDataFormat(
                    new DataProtectorShim(
                        DataProtectionProvider.Create(new DirectoryInfo("fileshare path") ,
                                (builder) =>
                                {
                                    
                                    builder.SetApplicationName("iis-app-name");
                                })
                            .CreateProtector(
                                "Microsoft.AspNetCore.Authentication.Cookies." +
                                "CookieAuthenticationMiddleware",
                                "Cookies.Application",
                                "v2"))),
                CookieManager = new ChunkingCookieManager()
            });

//.NET 5 config
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddCookie(options =>
                {
                    options.Cookie.Name = ".AspNet.SharedCookie";
                    options.Cookie.SameSite = SameSiteMode.Lax;
                    options.Cookie.Path = "/";
                    options.Cookie.HttpOnly = true;
                    options.Cookie.IsEssential = true;
                    options.ExpireTimeSpan = TimeSpan.FromMinutes(120);

                    options.CookieManager = new ChunkingCookieManager();
                    options.TicketDataFormat = new SecureDataFormat<AuthenticationTicket>(new TicketSerializer(),
                        DataProtectionProvider.Create(new DirectoryInfo("fileshare path"),
                                (builder) => { builder.SetApplicationName("iis-app-name"); })
                            .CreateProtector(
                                "Microsoft.AspNetCore.Authentication.Cookies." +
                                "CookieAuthenticationMiddleware",
                                "Cookies.Application",
                                "v2"));
                });

Every other variation I tried did not worked. It would be nice to update the docs with explicit instructions or link to working sample which provides both .NET framework 4.5.x app & .NET 5 app, which can be downloaded & hosted on IIS to see how its working. Randomly pointing to sample which has multiple startup's leaves so much to hunt for.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 99307104-c0d7-3e82-f0b2-af61dcfe072a
• Version Independent ID: 315c02cb-54c4-e386-da85-6e4311ca10c2
• Content: Share authentication cookies among ASP.NET apps
• Content Source: aspnetcore/security/cookie-sharing.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @Rick-Anderson
• Microsoft Alias: riande

[guardrex]

Hello @marafiq ... This might not be merely a won't fix but ultimately a scenario removal given the challenges involved in maintaining guidance to make it work. We did have sample apps for this at one time, but we yanked them ages ago.

@HaoK ... When we discussed this a long time ago ... years ago at this point I think ... we dropped the working samples for this scenario from the topic because this wasn't a common request and it can be rather tricky to pull off. I recall that the sample apps for this scenario were a pain to maintain because they broke a few times across releases.

[marafiq]

@guardrex Since I struggled with it for days, I guess only good sleep fixed it. I will say its important to have docs updated & working samples. But apart for that, I think retiring/dropping the docs will not be beneficial especially for folks who are trying to migrate their apps. As migration efforts this is first piece one has to figure out if you can not upgrade everything to .NET 5 or Core which is not practical.

[guardrex]

There are resource limitations, so management has to prioritize issues. Hao told me years ago that devs weren't asking for this scenario very often. That may have changed since then. He'll let us know how he wants to handle it. We can add the bit ur recommending, but I think adding and maintaining samples would be difficult.

[HaoK]

Right its tricky and not commonly asked for, its easier to just help people via issues rather than trying to publish specific documentation at this point. But yeah everything has match exactly or it won't work.

[guardrex]

Thanks @HaoK.

rather than trying to publish specific documentation at this point

In that case, @Rick-Anderson, I can craft the section to link to this issue and inject the original content of the section here. It wouldn't take long to handle this issue that way. Devs would still have access to the content and to what @marafiq has provided. Shall I proceed with a draft PR to see how that would compose? Otherwise if not, either it will take me very long time to reach this issue under the current workload (for major section updates + new sample code tested and placed here), or you'll have to re-assign the issue. 🏃

[Rick-Anderson]

In that case, @Rick-Anderson, I can craft the section to link to this issue and inject the original content of the section here.

Perfect, I think that's the best approach. This issues has details we can't add to a doc, such as "Right its tricky and not commonly asked for".

I propose we edit @HaoK comment to something like using SO so we don't elicit too many support requests.

[guardrex]

Cool ... I'll take care of this by EOW and ping u for review.