Is the "traditional" form authentication and owin middleware(with UseCookieAuthentication) are perfectly interchangeable?
I'd like to make a simple subdomain sso (like many examples suggest) Sharing authentication between parent and child web applications
my parent application is an old asp.net webform application with form authentication configured in web.config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXAUTH" protection="Validation" domain="localhost" />
</authentication>
<machineKey validationKey="E0230924313583BE9D071B5826165A7C6198A1697AE2F549535F0744FFDC414638882DDC507C7B097EAD5B4FB67819D9520D0A9D05B2D38EAB4AF0B36DAAA39F" decryptionKey="D29E22658319B16CAE17C9CD0269AB15DEAF9068FB6D459C" validation="SHA1" decryption="AES"></machineKey>
</system.web>
and a child application (in a subdomain) that is an asp.net Mvc5 (with owin UseCookieAuthentication)so the security is configured in Startup.cs and not in the web.config
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
CookieName = ".ASPXAUTH",
CookieDomain "localhost"
Provider = new CookieAuthenticationProvider { OnApplyRedirect = ApplyRedirect }
});
private static void ApplyRedirect(CookieApplyRedirectContext context)
{
Uri absoluteUri;
if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
{
var path = PathString.FromUriComponent(absoluteUri);
if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
context.RedirectUri = "http://localhost/subSiteAuthenticationTest/Account/Login" +
new QueryString(
context.Options.ReturnUrlParameter,
context.Request.Uri.AbsoluteUri);
}
context.Response.Redirect(context.RedirectUri);
}
in the child application web.config i configured only the same machine key to the parent application
<system.web>
<authentication mode="None">
<machineKey validationKey="E0230924313583BE9D071B5826165A7C6198A1697AE2F549535F0744FFDC414638882DDC507C7B097EAD5B4FB67819D9520D0A9D05B2D38EAB4AF0B36DAAA39F" decryptionKey="D29E22658319B16CAE17C9CD0269AB15DEAF9068FB6D459C" validation="SHA1" decryption="AES"></machineKey>
</system.web>
the parent's login page is used for both application (in order to use an absolute path for the login page in the chil application i implemented "OnApplyRedirect" as this post says: Login page on different domain)
but this doesn't work, did i miss somthing?
Is the "traditional" form authentication and owin middleware(with UseCookieAuthentication) are perfectly interchangeable?
Unfortunately, no, they're not interchangable.
You can, however, provide a custom TicketDataFormat in the CookieAuthenticationOptions.
Here's an example.
SSO for ASP.NET MVC4 and MVC5 web apps shared the same domain