I'm trying to develop SSO authentication between 2 web applications, application A and application B. Application A is MVC 4 application and application B is MVC 3 application.
What should happen is:
- When a user tries to access application B, he will be redirected to the login page of application A
- After he logs in to application A, he will be redirected to application B
What actually happens is:
- User tries to access application B, he gets redirected to application A for login
- User logs in to application A, he gets redirected to application B
- Here something is wrong, because application B redirects the user back to application A for login as if he's not logged in yet
I've done these steps to figure out what's wrong:
- Confirmed that the authentication cookie is being passed to application B
- Confirmed that machine key validation and decryption key is the same for both applications in web.config
- Confirmed enableCrossAppRedirects is enabled in web.config
- I used the code in this forum post to find out if both applications are able to decrypt the authentication cookie: http://forums.asp.net/t/1762166.aspx/1
- The authentication cookie is successfully decrypted in application A but not in application B. Application B gives "Unable to validate data" exception during FormsAuthentication.Decrypt method
Can anyone help me with this? Why did the decryption failed even though they're using the same machine key? Can I even still rely on this authentication method? Because this article says that it's not reliable anymore.
http://blog.appharbor.com/2012/02/22/asp-net-forms-authentication-considered-broken
Thanks!
Uf.. finally found the issue. The problem was because application A is targeting .NET Framework 4.5 and application B is targeting .NET Framework 4.
I suspected this before but apparently changing the target framework in the Project Properties is not enough. You have to add this <httpRuntime targetFramework="4.5"/> to application B web.config to make it works.