urgent: sharing auth cookies between my root site and blogengine.net (sub Virtual Application)

Topics: ASP.NET 2.0
Apr 12, 2013 at 4:40 AM
I have configured both so that they use the same membership/role provider in SQL. This works great and as expected. However, a forms auth cookie in one is not honored by the other. I have EXACTLY this situation described below:


But the remedy described in that post does not help me. Yes, I have the 2.7 source code and can build properly. I made the modifications necessary to keep the cookie names the same and use the same machine key, the minor source code mods, etc. But cookies created in one are still not honored by the other app.

Please help if you can! :)
Apr 12, 2013 at 4:50 PM

.Net 4.5 and .Net 4.0 have incompatible forms auth encryption techniques. All the articles on MSDN regarding sharing forms auth tickets are moot if one app is running under .Net 4.5 and the other is running under .Net 4.0. In this case, you have to instruct the .Net 4.5 app to be backwards compatible using a new web.config attribute on machineKey.

May 24, 2013 at 9:29 PM

My pull request to allow compatible auth cookies between BE and another App using the same MembershipProvider and machineKey settings (described in the OP) has been accepted. To configure the behavior in the OP, you would set BlogEngine.SingleSignOn = true in the web.config.
Sep 12, 2013 at 11:54 AM

i am a bit of novice, but how do you set BlogEngine.SingleSignOn = true? what specific code do you add to webconfig? thks ken
Sep 12, 2013 at 2:28 PM
In the Web.Config file, you'll see entries like this nested in the <appSettings> section
<add key="BlogEngine.VirtualPath" value="~/"/>
So you would add the following entry
<add key="BlogEngine.SingleSignOn" value="true"/>
Dec 10, 2013 at 2:36 PM
Is this compatible with BE 2.8? I have set this key but still no luck with single sign-on.
Dec 10, 2013 at 5:05 PM
Edited Dec 10, 2013 at 5:05 PM
bperniciaro wrote:
Is this compatible with BE 2.8? I have set this key but still no luck with single sign-on.
My understanding is that it was indeed merged into BE 2.8, but I will confirm. Please read the first two posts in this thread (that reference stackoverflow questions). Completely ignoring BE, it's a pretty fragile affair.

Did you get shared auth cookies to work across two web sites independent of BE?
Dec 11, 2013 at 3:01 AM
Yes I also have ASPPlayground forum software installed as a sub-application to my primary application and am able to share authentication across these two applications, so I'm fairly certain that I have the proper web.config settings. I will double-check though to be certain.

I had single-sign on working with BE 2.5 I believe, but it stopped working at some point after that.
Dec 11, 2013 at 1:03 PM
Thanks for pointing me in the right direction asok1421! While adding the key didn't fix the problem, modifying the source according to the Stack Overflow thread definitely got me closer to my goal.

I can now login through the blog and both my main site and the forum will recognize the cookie, or I can login through my forum and both my main side and blog will recognize the cookie (which is ultimately what I need). I still can't login through my main site and have the blog recognize the cookie, although the forum does, so something is still amiss. But that use case probably isn't relevant anyway.

It would definitely be beneficial to have an administration-level setting to allow this configuration. Maybe I'm wrong, but I would think the vast majority of users will be operating this blog as a single, stand-alone instance vs multiple instances. Not having single sign-on capability is a just a killer.

Thanks again for the update as this was a massive hurdle for me.

Dec 11, 2013 at 6:03 PM
The Web.Config settings ought to effectively trigger the code that you manually modified per the stackoverflow posting. That was the bulk of my pull request. Let me check on the latest checked in source.

Dec 11, 2013 at 6:20 PM
My pull request was accepted and merged into the main trunk, then at some point got clobbered, so it is NOT in 2.8.

Here is the change that you are looking for:

Dec 11, 2013 at 6:36 PM
Edited Dec 11, 2013 at 6:40 PM
I certainly didn't make all of those changes so maybe that's why my solution is only partially working. Stupid question but I assume all code with the red background is supposed to be removed?

Hopefully this is re-integrated at some point. Thanks again for the help.
Dec 11, 2013 at 6:42 PM
Yes, the red code is removed code. I started another thread regarding the clobbered pull requests. Good luck!