.ASPXAUTH cookie visible in firebug but can't be retrieved in C# code

Question

I have two .NET C# projects. They will be deployed under the same domain, e.g. domain.com.

One project was created a few years also. It's using .NET 4.0. Let's call it MAIN_1. This project uses another external project to authenticate users, which is even older (.NET 3.5). Let's call it AUTH_PROJ. I am creating a new project using MVC4 and .NET 4.5 in VS2012. Let's call it MAIN_2. MAIN_1 and MAIN_2 will be deployed under the same domain (e.g. domain.com). My goal is to make user login in MAIN_1 and also authenticated in MAIN_2. I searched online and found this post http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic very interesting and userful. I tested the single sign on by making some simple MVC projects in Visual Studio 2012 Professional:

1. Project 1: .NET4.5 MVC4 internet project. => Website 1
2. Project 2: same as Project 1. => Website 2
3. Project 3: .NET 4 MVC3 internet project. => Website 3
4. Project 4: same as Project 2. => Website 4

In this 4 projects, I added the same machine key and add domain="localhost" to forms authentication in Web.config files.

Then I tested the single sign on. I created an account in Website 1, logged in. I opened Website 2 and it's already logged in. Cool! Same for Website 3 and 4.

But when I mixed different frameworks, nothing works.

I checked the browser cookie in firebug. .ASPXAUTH cookie stays there. But if the cookie is created by Project 1, and I debug Project 3, I can get all cookies exept .ASPXAUTH cookie. It seems that .ASPXAUTH depends on framework and although it's visible in firefox, the other framework project can't see it.

Can anyone help me figure out why .ASPXAUTH cookie becomes invisible in C# code and is there any other way to make single sign on work please? Thank you

Answer 1

In your 4.5 project, try setting this configuration switch in Web.config:

<machineKey compatibilityMode="Framework20SP1" />

4.5 and 4.0 use different encryption routines for the forms auth ticket. Setting the above switch in your 4.5 project should force it to use the same routines that 4.0 does. See http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx for more info.

Answer 2

But when I mixed different frameworks, nothing works

That's normal. There have been changes in the encryption routines between the .NET versions due to security vulnerabilities that were discovered. So it is recommended to patch your servers using the following update.

If for some reason you cannot do so, there's a workaround which is not recommended:

<appSettings>
    <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />
    <add key="aspnet:UseLegacyEncryption" value="true" />
    <add key="aspnet:UseLegacyMachineKeyEncryption" value="true" />
</appSettings>