SSO Cookie no longer working R6 - R8 upgrade

[owain.jones@cmc.ca]

Hi,

We just updated our installation from Gold R6 to R8 and everything seems to be running ok when the session is authenticated, but our SSO is no longer working.

I noticed in the release notes for R8:
[AC8-2520] - Cookies need to be unique for stores

This could have an effect on the SSO we are using.

Basically our main website is on the same web server as AbleCommerce and we use the same <machineKey entry in both web.configs so the other web application can create the auth cookie for AbleCommerce.

This was working fine before, but now when I have this setting in place AbleCommerce does not like the auth cookie that is created (length 265 using SHA1) and even though the <machinekey settings are the same in AbleCommerce's web.config it creates a cookie that is different (length 201) and cannot be validated from the other website.

Could somebody confirm if there was a change to the way Able handles forms authentication (i.e. doesn't use what is in web.config) and please let me know a workaround?

Thanks,
Owain

[mazhar]

[AC8-2520] - Cookies need to be unique for stores

In this issue we updated the cookie to have "ACGOLD." instead "AC7." in it. You can either update your SSO code and make cookie to use ACGOLD instead of AC7 in it or revert cookie updates from ablecommerce.

Two files were modified for this update Web.config and Global.asax. Following are the updates we made under this issue.

Global.asax

In Gold R6

Code: Select all

        HttpCookie authCookie = Response.Cookies["AC7.ASPXAUTH"];
        if (authCookie != null) authCookie.Expires = DateTime.Now.AddYears(-1);
        HttpCookie anonCookie = Response.Cookies["AC7.ASPXANONYMOUS"];
        if (anonCookie != null) anonCookie.Expires = DateTime.Now.AddYears(-1);
        HttpCookie sessionCookie = Response.Cookies["AC7.SESSIONID"];

In Gold R8

Code: Select all

        HttpCookie authCookie = Response.Cookies["ACGOLD.ASPXAUTH"];
        if (authCookie != null) authCookie.Expires = DateTime.Now.AddYears(-1);
        HttpCookie anonCookie = Response.Cookies["ACGOLD.ASPXANONYMOUS"];
        if (anonCookie != null) anonCookie.Expires = DateTime.Now.AddYears(-1);
        HttpCookie sessionCookie = Response.Cookies["ACGOLD.SESSIONID"];

Web.config

In Gold R6

Code: Select all

    <authentication mode="Forms">
      <forms timeout="90" slidingExpiration="true" name="AC7.ASPXAUTH"/>
    </authentication>
    <sessionState mode="InProc" timeout="30" cookieName="AC7.SESSIONID"/>

In Gold R8

Code: Select all

     <authentication mode="Forms">
      <forms timeout="90" slidingExpiration="true" name="ACGOLD.ASPXAUTH"/>
    </authentication>
    <sessionState mode="InProc" timeout="30" cookieName="ACGOLD.SESSIONID"/>

[owain.jones@cmc.ca]

Hi Mazhar,

I don't think that is the issue since in my upgrade I merged in the changes and so I kept the authentication cookie name constant.

Has there been any change to the login process between R6 and R8? I ask because again the encrypted cookie length is different so that suggests to me that there may be some encryption happening that is different and that I cannot see.

Owain

[owain.jones@cmc.ca]

Problem solved!

According to this post: http://blogs.msdn.com/b/webdev/archive/ ... -pt-2.aspx

There were changes to the way the forms authentication encryption works in .NET 4.5 so even though the <machinekey settings were the same among the two websites (main website and AbleCommerce) there were differences in the .NET process so to make sure that the authentication works I added compatibilityMode="Framework20SP2" to each of the machinekey settings and it works now.

Owain