182 lines
12 KiB
Markdown
182 lines
12 KiB
Markdown
---
|
|
title: Share cookies among apps with ASP.NET and ASP.NET Core
|
|
author: rick-anderson
|
|
description: Learn how to share authentication cookies among ASP.NET 4.x and ASP.NET Core apps.
|
|
manager: wpickett
|
|
ms.author: riande
|
|
ms.custom: mvc
|
|
ms.date: 01/19/2017
|
|
ms.prod: asp.net-core
|
|
ms.technology: aspnet
|
|
ms.topic: article
|
|
uid: security/cookie-sharing
|
|
---
|
|
# Share cookies among apps with ASP.NET and ASP.NET Core
|
|
|
|
By [Rick Anderson](https://twitter.com/RickAndMSFT) and [Luke Latham](https://github.com/guardrex)
|
|
|
|
Websites often consist of individual web apps working together. To provide a single sign-on (SSO) experience, web apps within a site must share authentication cookies. To support this scenario, the data protection stack allows sharing Katana cookie authentication and ASP.NET Core cookie authentication tickets.
|
|
|
|
[View or download sample code](https://github.com/aspnet/Docs/tree/master/aspnetcore/security/cookie-sharing/sample/) ([how to download](xref:tutorials/index#how-to-download-a-sample))
|
|
|
|
The sample illustrates cookie sharing across three apps that use cookie authentication:
|
|
|
|
* ASP.NET Core 2.0 Razor Pages app without using [ASP.NET Core Identity](xref:security/authentication/identity)
|
|
* ASP.NET Core 2.0 MVC app with ASP.NET Core Identity
|
|
* ASP.NET Framework 4.6.1 MVC app with ASP.NET Identity
|
|
|
|
In the examples that follow:
|
|
|
|
* The authentication cookie name is set to a common value of `.AspNet.SharedCookie`.
|
|
* The `AuthenticationType` is set to `Identity.Application` either explicitly or by default.
|
|
* A common app name is used to enable the data protection system to share data protection keys (`SharedCookieApp`).
|
|
* `Identity.Application` is used as the authentication scheme. Whatever scheme is used, it must be used consistently *within and across* the shared cookie apps either as the default scheme or by explicitly setting it. The scheme is used when encrypting and decrypting cookies, so a consistent scheme must be used across apps.
|
|
* A common [data protection key](xref:security/data-protection/implementation/key-management) storage location is used. The sample app uses a folder named *KeyRing* at the root of the solution to hold the data protection keys.
|
|
* In the ASP.NET Core apps, [PersistKeysToFileSystem](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.persistkeystofilesystem) is used to set the key storage location. [SetApplicationName](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.setapplicationname) is used to configure a common shared app name.
|
|
* In the .NET Framework app, the cookie authentication middleware uses an implementation of [DataProtectionProvider](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionprovider). `DataProtectionProvider` provides data protection services for the encryption and decryption of authentication cookie payload data. The `DataProtectionProvider` instance is isolated from the data protection system used by other parts of the app.
|
|
* [DataProtectionProvider.Create(System.IO.DirectoryInfo, Action\<IDataProtectionBuilder>)](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionprovider.create?view=aspnetcore-2.0#Microsoft_AspNetCore_DataProtection_DataProtectionProvider_Create_System_IO_DirectoryInfo_System_Action_Microsoft_AspNetCore_DataProtection_IDataProtectionBuilder__) accepts a [DirectoryInfo](/dotnet/api/system.io.directoryinfo) to specify the location for data protection key storage. The sample app provides the path of the *KeyRing* folder to `DirectoryInfo`. [DataProtectionBuilderExtensions.SetApplicationName](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.setapplicationname?view=aspnetcore-2.0#Microsoft_AspNetCore_DataProtection_DataProtectionBuilderExtensions_SetApplicationName_Microsoft_AspNetCore_DataProtection_IDataProtectionBuilder_System_String_) sets the common app name.
|
|
* [DataProtectionProvider](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionprovider) requires the [Microsoft.AspNetCore.DataProtection.Extensions](https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.Extensions/) NuGet package. To obtain this package for ASP.NET Core 2.0 and later apps, reference the [Microsoft.AspNetCore.All](xref:fundamentals/metapackage) metapackage. When targeting the .NET Framework, add a package reference to `Microsoft.AspNetCore.DataProtection.Extensions`.
|
|
|
|
## Share authentication cookies among ASP.NET Core apps
|
|
|
|
When using ASP.NET Core Identity:
|
|
|
|
#### [ASP.NET Core 2.x](#tab/aspnetcore2x/)
|
|
In the `ConfigureServices` method, use the [ConfigureApplicationCookie](/dotnet/api/microsoft.extensions.dependencyinjection.identityservicecollectionextensions.configureapplicationcookie) extension method to set up the data protection service for cookies.
|
|
|
|
[!code-csharp[](cookie-sharing/sample/CookieAuthWithIdentity.Core/Startup.cs?name=snippet1)]
|
|
|
|
Data protection keys and the app name must be shared among apps. In the sample apps, `GetKeyRingDirInfo` returns the common key storage location to the [PersistKeysToFileSystem](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.persistkeystofilesystem) method. Use [SetApplicationName](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.setapplicationname) to configure a common shared app name (`SharedCookieApp` in the sample). For more information, see [Configuring Data Protection](xref:security/data-protection/configuration/overview).
|
|
|
|
See the *CookieAuthWithIdentity.Core* project in the [sample code](https://github.com/aspnet/Docs/tree/master/aspnetcore/security/cookie-sharing/sample/) ([how to download](xref:tutorials/index#how-to-download-a-sample)).
|
|
|
|
#### [ASP.NET Core 1.x](#tab/aspnetcore1x/)
|
|
In the `Configure` method, use the [CookieAuthenticationOptions](/dotnet/api/microsoft.aspnetcore.builder.cookieauthenticationoptions) to set up:
|
|
|
|
* The data protection service for cookies.
|
|
* The `AuthenticationScheme` to match ASP.NET 4.x.
|
|
|
|
```csharp
|
|
app.AddIdentity<ApplicationUser, IdentityRole>(options =>
|
|
{
|
|
options.Cookies.ApplicationCookie.AuthenticationScheme =
|
|
"ApplicationCookie";
|
|
|
|
var protectionProvider =
|
|
DataProtectionProvider.Create(
|
|
new DirectoryInfo(@"PATH_TO_KEY_RING_FOLDER"));
|
|
|
|
options.Cookies.ApplicationCookie.DataProtectionProvider =
|
|
protectionProvider;
|
|
|
|
options.Cookies.ApplicationCookie.TicketDataFormat =
|
|
new TicketDataFormat(protectionProvider.CreateProtector(
|
|
"Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware",
|
|
"Cookies",
|
|
"v2"));
|
|
});
|
|
```
|
|
|
|
* * *
|
|
When using cookies directly:
|
|
|
|
#### [ASP.NET Core 2.x](#tab/aspnetcore2x/)
|
|
[!code-csharp[](cookie-sharing/sample/CookieAuth.Core/Startup.cs?name=snippet1)]
|
|
|
|
Data protection keys and the app name must be shared among apps. In the sample apps, `GetKeyRingDirInfo` returns the common key storage location to the [PersistKeysToFileSystem](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.persistkeystofilesystem) method. Use [SetApplicationName](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.setapplicationname) to configure a common shared app name (`SharedCookieApp` in the sample). For more information, see [Configuring Data Protection](xref:security/data-protection/configuration/overview).
|
|
|
|
See the *CookieAuth.Core* project in the [sample code](https://github.com/aspnet/Docs/tree/master/aspnetcore/security/cookie-sharing/sample/) ([how to download](xref:tutorials/index#how-to-download-a-sample)).
|
|
|
|
#### [ASP.NET Core 1.x](#tab/aspnetcore1x/)
|
|
```csharp
|
|
app.UseCookieAuthentication(new CookieAuthenticationOptions
|
|
{
|
|
DataProtectionProvider =
|
|
DataProtectionProvider.Create(
|
|
new DirectoryInfo(@"PATH_TO_KEY_RING_FOLDER"))
|
|
});
|
|
```
|
|
|
|
* * *
|
|
## Encrypting data protection keys at rest
|
|
|
|
For production deployments, configure the `DataProtectionProvider` to encrypt keys at rest with DPAPI or an X509Certificate. See [Key Encryption At Rest](xref:security/data-protection/implementation/key-encryption-at-rest) for more information.
|
|
|
|
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
|
|
|
|
```csharp
|
|
services.AddDataProtection()
|
|
.ProtectKeysWithCertificate("thumbprint");
|
|
```
|
|
|
|
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
|
|
|
|
```csharp
|
|
app.UseCookieAuthentication(new CookieAuthenticationOptions
|
|
{
|
|
DataProtectionProvider = DataProtectionProvider.Create(
|
|
new DirectoryInfo(@"PATH_TO_KEY_RING"),
|
|
configure =>
|
|
{
|
|
configure.ProtectKeysWithCertificate("thumbprint");
|
|
})
|
|
});
|
|
```
|
|
|
|
---
|
|
|
|
## Sharing authentication cookies between ASP.NET 4.x and ASP.NET Core apps
|
|
|
|
ASP.NET 4.x apps which use Katana cookie authentication middleware can be configured to generate authentication cookies that are compatible with the ASP.NET Core cookie authentication middleware. This allows upgrading a large site's individual apps piecemeal while providing a smooth SSO experience across the site.
|
|
|
|
> [!TIP]
|
|
> When an app uses Katana cookie authentication middleware, it calls `UseCookieAuthentication` in the project's *Startup.Auth.cs* file. ASP.NET 4.x web app projects created with Visual Studio 2013 and later use the Katana cookie authentication middleware by default.
|
|
|
|
> [!NOTE]
|
|
> An ASP.NET 4.x app must target .NET Framework 4.5.1 or higher. Otherwise, the necessary NuGet packages fail to install.
|
|
|
|
To share authentication cookies among ASP.NET 4.x apps and ASP.NET Core apps, configure the ASP.NET Core app as stated above, then configure the ASP.NET 4.x apps by following the steps below.
|
|
|
|
1. Install the package [Microsoft.Owin.Security.Interop](https://www.nuget.org/packages/Microsoft.Owin.Security.Interop/) into each ASP.NET 4.x app.
|
|
|
|
2. In *Startup.Auth.cs*, locate the call to `UseCookieAuthentication` and modify it as follows. Change the cookie name to match the name used by the ASP.NET Core cookie authentication middleware. Provide an instance of a `DataProtectionProvider` initialized to the common data protection key storage location. Make sure that the app name is set to the common app name used by all apps that share cookies, `SharedCookieApp` in the sample app.
|
|
|
|
#### [ASP.NET Core 2.x](#tab/aspnetcore2x/)
|
|
[!code-csharp[](cookie-sharing/sample/CookieAuthWithIdentity.NETFramework/CookieAuthWithIdentity.NETFramework/App_Start/Startup.Auth.cs?name=snippet1)]
|
|
|
|
See the *CookieAuthWithIdentity.NETFramework* project in the [sample code](https://github.com/aspnet/Docs/tree/master/aspnetcore/security/cookie-sharing/sample/) ([how to download](xref:tutorials/index#how-to-download-a-sample)).
|
|
|
|
When generating a user identity, the authentication type must match the type defined in `AuthenticationType` set with `UseCookieAuthentication`.
|
|
|
|
*Models/IdentityModels.cs*:
|
|
|
|
[!code-csharp[](cookie-sharing/sample/CookieAuthWithIdentity.NETFramework/CookieAuthWithIdentity.NETFramework/Models/IdentityModels.cs?name=snippet1)]
|
|
|
|
#### [ASP.NET Core 1.x](#tab/aspnetcore1x/)
|
|
Set the `CookieManager` to interop `ChunkingCookieManager` so the chunking format is compatible.
|
|
|
|
```csharp
|
|
app.UseCookieAuthentication(new CookieAuthenticationOptions
|
|
{
|
|
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
|
|
CookieName = ".AspNetCore.Cookies",
|
|
// CookieName = ".AspNetCore.ApplicationCookie", (if using ASP.NET Identity)
|
|
// CookiePath = "...", (if necessary)
|
|
// ...
|
|
TicketDataFormat = new AspNetTicketDataFormat(
|
|
new DataProtectorShim(
|
|
DataProtectionProvider.Create(
|
|
new DirectoryInfo(@"PATH_TO_KEY_RING_FOLDER"))
|
|
.CreateProtector(
|
|
"Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware",
|
|
"Cookies",
|
|
"v2"))),
|
|
CookieManager = new ChunkingCookieManager()
|
|
});
|
|
```
|
|
|
|
* * *
|
|
## Use a common user database
|
|
|
|
Confirm that the identity system for each app is pointed at the same user database. Otherwise, the identity system produces failures at runtime when it attempts to match the information in the authentication cookie against the information in its database.
|