Sharing Cookies between Web Applications

Question

Sharing Cookies between Web Applications

Closed this issue 7 years ago · 4 comments

Hi, I've been following the Documentation on Sharing Cookies between Web Applications here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/compatibility/cookie-sharing

I have it working, however, instead of doing the following (like the docs mention):

app.AddIdentity<ApplicationUser, IdentityRole>(options =>
   {
       options.Cookies.ApplicationCookie.AuthenticationScheme = "ApplicationCookie";
       options.Cookies.ApplicationCookie.DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"c:\shared-auth-ticket-keys\"));
   });

I've actually implemented it in the following way:

app.AddIdentity<ApplicationUser, IdentityRole>(options =>
   {
       options.Cookies.ApplicationCookie.AuthenticationScheme = "ApplicationCookie";
       options.Cookies.ApplicationCookie.DataProtectionProvider = DataProtectionProvider.Create("MyApplication");
   });

I chose this way of implementing because I do not have a shared drive between Web Applications in Azure. However, I'm now unsure of the security of this implementation. Is having that common string in the code a security risk?

Also, as the documentation is a little "light", is there another way I should be doing this?
Thanks
Ryan

Answer 1 · 2017-05-23T03:35:56.000Z

You're better off configuring DataProtection centrally in DI as shown here:
https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

Having a single shared string is very weak, and breaks users if you ever have to change it. Check out https://github.com/aspnet/DataProtection for some samples, alternate sharing sources, etc..

Answer 2 · 2017-05-23T11:28:23.000Z

I have a follow on question along the same lines and I wasnt sure if this should be a new thread or not. It seems relevant to the OP which is why I put it here. We are using service fabric for our web apps and based on the samples and documentation you provided, we are planning to use blob storage for the data protection keys as follows so all web servers are on the same page.
serviceCollection.AddDataProtection() .PersistKeysToAzureBlobStorage(container, "keys.xml");

Is it then also recommended to secure those keys as detailed by one of these methods?
My assumption is yes.

.ProtectKeysWithCertificate("thumbprint");.

Given we are in service fabric I'm thinking the best option is x509 which leads to my question. What happens when the cert expires? We will obviously renew the cert ahead of time, but won't the updated cert cause the keys to be unobtainable?

Answer 3 · 2017-05-23T13:07:47.000Z

@RickBlouch Interesting question. Please open a new issue in https://github.com/aspnet/DataProtection about the certificate rotation process.

Answer 4 · 2017-05-24T08:29:33.000Z

@Tratcher thanks!

@RickBlouch - I'm also interested with this and will be interested to read the comments in the issue you open