Simplemembership ASPXAUTH cookie validating on two separate web projects
Asked Answered
S

2

7

I am working on an ASP.NET MVC4 project using SimpleMembership, which generates an ASPXAUTH cookie when you are logged in. It seems to be working just fine, but then today I opened up another MVC4 project, only to notice that I was already logged in.

This was extremely odd, because the new project literally does not have any users defined in the database. Even more disconcerting is when I hit "log out" on the new project, it logged me out of the original site.

Both sites are running on different ports, though both on localhost. When examining the Request to see why it is returning "IsAuthenticated == true", I noticed that the ASPXAUTH cookie is being sent to both sites, and the "domain" parameter of the cookie in the debugger is "null". This made me think that perhaps the cookie is being generated as a "domain-less" cookie (I have no idea if such a thing is even possible, to be honest!), and looked at the web.config setting to specify a domain:

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626" />
</authentication>

Unfortunately setting the "domain" parameter has made the cookie cease working. I've tried all permutations (with http, without http, with port, without port, etc) and every time I specify a domain, the browser receives the cookie with the properly specified domain name (I examined it in Chrome developer tools), but then fails to ever send it back to the server of subsequent requests.

So, I'm pretty confused about what is happening here. Is this a security leak that I've caused by not setting something up properly somewhere? Or is it perfectly normal behavior that an ASPXAUTH cookie will authorize a user on two totally different web apps on two different ports on the same domain? I would test this on a web host but unfortunately I don't have access to any that run MVC4 at the moment.

Thanks in advance.

Slyke answered 2/1, 2013 at 3:44 Comment(1)
Check here #1612677Cubby
L
5

ASPXAUTH is the default name given to the cookie but by changing this name for each project in the Web.Config you can make it apply only to that project.

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626"  name=".PROJ1AUTH"/>
</authentication>
Libenson answered 22/1, 2013 at 14:3 Comment(0)
S
3

Add a Name attribute to the forms element. It will name the authcookie after the name you provide making it unique between other projects.

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" name="A_UNIQUE_NAME" />
</authentication>
Subacid answered 6/2, 2013 at 19:59 Comment(1)
Works! Useful if you have 2 opened projects at the same time.Pentagon

© 2022 - 2024 — McMap. All rights reserved.