Reputation: 4048
C# Forms Authentication .ASPXAUTH Cookie for SSO
I have 2 applications (one .NET and other Angular SPA (web services in .NET) with the same domain name. I need to enable SSO for these 2 applications. Both the web.config have the same machine key and they are enabled for Forms authentication mode.
I log in to the .NET site, I present the angular site in iFrame. When opening the iframe, the API call includes the .ASPXAUTH cookie in the request header but HttpContext.User.Identity.Authenticated is set to false. So it returns a 404 and redirects to the login page for the angular site within the iframe.
The auth cookie is HttpOnly so angular is unable to read it. But since the cookie is set in the request header,API (.NET) method should consider it as authenticated and it is not. Anything I am missing?
Upvotes: 6
Views: 1485
Answers (1)
Reputation: 1555
There is some information lacking to be sure to answer this question correctly, but I think this has something to do with the same origin policy. You have to explicitly set the origin of the iFrame in order for your cookie to be not recognized as a cross site request. And therefore will not be applied by ASP.net. Your origin http header has to be set to a valid origin and referrer.
Please also take a look at this question. It explains the same-origin policy briefly.
Upvotes: 2
Related Questions
- Cookie Based Authentication
- Is possible to use cookie based authentication with ASP.NET Web API and SPA?
- Identity cookie authentication in ASP.NET MVC
- How to validate cookie with ASP.NET Web API + AngularJs cookie based authentication
- Secure Authentication cookie Asp.Net
- MVC4 / IIS / Forms Authentication SSO issue
- Authentication Cookie in asp.net
- ASP.NET Authentication cookie
- ASP.NET MVC authentication cookie
- Authentication Cookie