Open Closed

Owin Share Cookie between AspNetZero and another Mvc project #594


0
byteplatz created

Hello Halil,

Im testing the migration path we will use for our application. For a while, we will need to have both (legacy MVC and new AspNetZero Mvc) workin in parallel.

I would like to setup Owin shared cookie between AspNetZero and legacy MVC but I need to understand few things from your side.

If you create a solution with 02 different web projects (called Web1 and Web2) and leave the defaults for OWIN, both apps share same cookie authentication: if you decorate with [Authorize] and create user in Web1 then access Web2, Web2 will allow the request even if the user does not exists there. Thats okay and expected behavior (the cookie name are the same and the machine are the same as well).

This scenario creates (by using google chrome) one cookie "LocalStorage" for each webapp:

http://localhost:58830 - Web1
http://localhost:58831 - Web2

So far so good. This behavior is what Im trying to setup between AspNetZero and my legacy MVC app.

Now, from AspNetZero: When I start google chrome and navigate to aspnetzero home page (no logged in user yet) it does not create the "localstorage" cookie (like Web1 and Web2). Instead it creates the ASP.Net_SessionId and VerificationToken...

Thats okay for me...

But Im trying to understant what should I need to do to "SHARE" AspNetZero Cookie with Web1 and Web2. I've tried to set the same cookie name for all 3 apps but that didn't work.

I believe is something related to session or something.

Do you have any customization on owin/katana/session (besides AbpSession) that manage to change cookies ?

Can you help me on this issue ?

Bruno


2 Answer(s)
  • 0
    hikalkan created
    Support Team

    <a class="postlink" href="http://localhost:58830">http://localhost:58830</a> and <a class="postlink" href="http://localhost:58831">http://localhost:58831</a> can not share same cookie. Because they are different web sites (different domains) for the browser and browser does not send cookie of <a class="postlink" href="http://localhost:58830">http://localhost:58830</a> to <a class="postlink" href="http://localhost:58831">http://localhost:58831</a>. If it sends, this leads to a big security problem. It's only possible if they have the same port but this is also not possible since IIS does not allow it.

    Your 2 AspNet Zero application can share cookie since they both run in same port. If you change the port, you will see that they don't share cookie.

    So, this is actually a client side behaviour, not related to server (And also we did not do any special OWIN thing).

    Maybe I'm wrong but I know it like that.

  • 0
    byteplatz created

    Actually it's domain based not port based...

    We manages it to work with different ports and same cookie name

    Legacy and new coexisting now

    Kind regards

    Bruno