AspNetCore.Docs/aspnetcore/security/data-protection/compatibility/cookie-sharing.md

115 lines
6.2 KiB
Markdown
Raw Normal View History

2016-10-29 01:35:15 +08:00
---
2017-07-01 07:47:15 +08:00
title: Sharing cookies between applications
2016-10-29 01:35:15 +08:00
author: rick-anderson
2016-11-18 04:13:02 +08:00
description:
2017-01-13 01:35:15 +08:00
keywords: ASP.NET Core, ASP.NET, cookies, Interop, cookie sharing
2016-10-29 01:35:15 +08:00
ms.author: riande
manager: wpickett
ms.date: 10/14/2016
ms.topic: article
ms.assetid: 9a7aae45-8e21-4c54-950c-3c29df6c1082
2016-11-17 08:24:57 +08:00
ms.technology: aspnet
ms.prod: asp.net-core
2016-10-29 01:35:15 +08:00
uid: security/data-protection/compatibility/cookie-sharing
---
# Sharing cookies between applications
2016-12-04 02:39:54 +08:00
Web sites commonly consist of many individual web applications, all working together harmoniously. If an application developer wants to provide a good single-sign-on experience, they'll often need all of the different web applications within the site to share authentication tickets between each other.
2016-10-29 01:35:15 +08:00
To support this scenario, the data protection stack allows sharing Katana cookie authentication and ASP.NET Core cookie authentication tickets.
## Sharing authentication cookies between applications
To share authentication cookies between two different ASP.NET Core applications, configure each application that should share cookies as follows.
In your configure method use the CookieAuthenticationOptions to set up the data protection service for cookies and the AuthenticationScheme to match ASP.NET 4.X.
If you're using identity:
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
app.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Cookies.ApplicationCookie.AuthenticationScheme = "ApplicationCookie";
var protectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"c:\shared-auth-ticket-keys\"));
options.Cookies.ApplicationCookie.DataProtectionProvider = protectionProvider;
options.Cookies.ApplicationCookie.TicketDataFormat = new TicketDataFormat(protectionProvider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookies", "v2"));
2016-10-29 01:35:15 +08:00
});
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
If you're using cookies directly:
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"c:\shared-auth-ticket-keys\"))
});
2016-11-18 13:03:07 +08:00
```
The `DataProtectionProvider` requires the `Microsoft.AspNetCore.DataProtection.Extensions` NuGet package.
2016-10-29 01:35:15 +08:00
When used in this manner, the DirectoryInfo should point to a key storage location specifically set aside for authentication cookies. The cookie authentication middleware will use the explicitly provided implementation of the DataProtectionProvider, which is now isolated from the data protection system used by other parts of the application. The application name is ignored (intentionally so, since you're trying to get multiple applications to share payloads).
>[!WARNING]
>You should consider configuring the DataProtectionProvider such that keys are encrypted at rest, as in the below example.
>
>
2016-11-18 13:03:07 +08:00
> ```csharp
2016-10-29 01:35:15 +08:00
> app.UseCookieAuthentication(new CookieAuthenticationOptions
> {
> DataProtectionProvider = DataProtectionProvider.Create(
> new DirectoryInfo(@"c:\shared-auth-ticket-keys\"),
> configure =>
> {
> configure.ProtectKeysWithCertificate("thumbprint");
> })
> });
2016-11-18 13:03:07 +08:00
> ```
2016-10-29 01:35:15 +08:00
## Sharing authentication cookies between ASP.NET 4.x and ASP.NET Core applications
ASP.NET 4.x applications which use Katana cookie authentication middleware can be configured to generate authentication cookies which are compatible with the ASP.NET Core cookie authentication middleware. This allows upgrading a large site's individual applications piecemeal while still providing a smooth single sign on experience across the site.
>[!TIP]
> You can tell if your existing application uses Katana cookie authentication middleware by the existence of a call to UseCookieAuthentication in your project's Startup.Auth.cs. ASP.NET 4.x web application projects created with Visual Studio 2013 and later use the Katana cookie authentication middleware by default.
> [!NOTE]
> Your ASP.NET 4.x application must target .NET Framework 4.5.1 or higher, otherwise the necessary NuGet packages will fail to install.
To share authentication cookies between your ASP.NET 4.x applications and your ASP.NET Core applications, configure the ASP.NET Core application as stated above, then configure your ASP.NET 4.x applications by following the steps below.
1. Install the package Microsoft.Owin.Security.Interop into each of your ASP.NET 4.x applications.
2. In Startup.Auth.cs, locate the call to UseCookieAuthentication, which will generally look like the following.
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ...
});
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
2017-01-13 01:35:15 +08:00
3. Modify the call to UseCookieAuthentication as follows, changing the CookieName to match the name used by the ASP.NET Core cookie authentication middleware, providing an instance of a DataProtectionProvider that has been initialized to a key storage location, and set CookieManager to interop ChunkingCookieManager so the chunking format is compatible.
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
CookieName = ".AspNetCore.Cookies",
// CookieName = ".AspNetCore.ApplicationCookie", (if you're using identity)
2016-10-29 01:35:15 +08:00
// CookiePath = "...", (if necessary)
// ...
TicketDataFormat = new AspNetTicketDataFormat(
new DataProtectorShim(
DataProtectionProvider.Create(new DirectoryInfo(@"c:\shared-auth-ticket-keys\"))
.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware",
2017-01-13 01:35:15 +08:00
"Cookies", "v2"))),
CookieManager = new ChunkingCookieManager()
2016-10-29 01:35:15 +08:00
});
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
The DirectoryInfo has to point to the same storage location that you pointed your ASP.NET Core application to and should be configured using the same settings.
The ASP.NET 4.x and ASP.NET Core applications are now configured to share authentication cookies.
> [!NOTE]
> You'll need to make sure that the identity system for each application is pointed at the same user database. Otherwise the identity system will produce failures at runtime when it tries to match the information in the authentication cookie against the information in its database.