Cookie Authentication for sub apps under IIS site

[rasitha1]

re: CookieAuthentication - Is there a way to change the default behavior to handle the following scenario?

Example: I have two apps hosted under the same site in IIS: https://apps.mydoamin.com/app1 https://apps.mydomain.com/app2

Since there's only one cookie (.AspNet.Cookies), and it's at the site (/) level, when users switch between app1 and app2 they have to get re-authenticated. (In my scenario, users get authenticated by the same source but each app issues additional claims when users sign in) The workaround I have used is to set the cookie name but was wondering if there's a better way to handle that right in the framework?

ps: the code I have is using OWIN but I assume the same limitation is here just quickly looking at the code.

Thanks!

[brockallen]

Why not set the cookie path in the config?

[rasitha1]

That didn't work because if the user types in the URL different than what I've set (case wise), browsers don't send the cookie with the request. So users will get redirected to authentication.

If that wasn't an issue, that's my first preference too because then only the cookie that is specific for the app goes with the request. With the current approach in the worst case (where a user is accessing ALL sub apps in the same browser session), request will have cookies from all apps.

Do I have any better options than to say (1) try to use a single IIS site per app and (2) minimize the number of sub apps you add under a site?

[brockallen]

The other option is to change the cookie name :)

One thing I'm confused on -- do you want to share the cookie or not?

[rasitha1]

My workaround right now is to set the cookie name. That's why I open the question here asking if that should be done by default in the framework or if there are better ways. We have many small apps that make up our ERP system and we have a layer of code shared in all apps that is filling the gaps such as these and also using some of the internal conventions.

In this case, I don't want the cookie to be shared because each app injects additional claims specific to the app and they are stored in the cookie.

As we are discussing this, I'm thinking if we go to a SessionStore, then sharing the cookie might be an option and each app instance would have a different Principal in the store for the same key in the cookie. I don't know if two app domains will create the same cookie value provided the machine key is set at the site level.

[Tratcher]

Other workaround: write a middleware that redirects if the path casing is incorrect. E.g. redirect to lower case.

[Tratcher]

This is an inherent limitation of cookies, there's nothing we can do about it from the server side.