C# Forms Authentication .ASPXAUTH Cookie for SSO
Question
I have 2 applications (one .NET and other Angular SPA (web services in .NET) with the same domain name. I need to enable SSO for these 2 applications. Both the web.config have the same machine key and they are enabled for Forms authentication mode.
I log in to the .NET site, I present the angular site in iFrame. When opening the iframe, the API call includes the .ASPXAUTH cookie in the request header but HttpContext.User.Identity.Authenticated is set to false. So it returns a 404 and redirects to the login page for the angular site within the iframe.
The auth cookie is HttpOnly so angular is unable to read it. But since the cookie is set in the request header,API (.NET) method should consider it as authenticated and it is not. Anything I am missing?
1 answers
solution1
2 2017-01-02 09:04:45
There is some information lacking to be sure to answer this question correctly, but I think this has something to do with the same origin policy. You have to explicitly set the origin of the iFrame in order for your cookie to be not recognized as a cross site request. And therefore will not be applied by ASP.net. Your origin http header has to be set to a valid origin and referrer.
Please also take a look at this question . It explains the same-origin policy briefly.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.