Description
Describe the bug
Start migrating an asp.net project to asp.net core using SystemWeb adapters. Initially the Auth controller is on the Framework side and some controllers are moved from Framework to Core. In this scenario the auth cookie is created by framework and the controllers that have already moved to core are able to authenticated by using systemweb adapter's Authentication Client and Server. So far so good.
Then you move the Auth controller over to Core while some controllers still remain on the framework side. The auth cookie is now created by the .net core side. When we now call the controllers on the Framework side, those can't authenticate anymore even if the user has already logged in. It seems like Framework has no ability to parse the auth cookie created by .net core.
This means in the migration journey, we have to wait until the very end to migrate auth controller but this may not always be feasible. Sometimes the auth controller has additional concerns attached to it that requires it to be migrated on a priority.
To Reproduce
Here is what my Program.cs on the .net core side looks like once Auth has been migrated but some other controllers are still on the Framework side
builder.Services.AddSystemWebAdapters()
.AddJsonSessionSerializer(options =>
{
options.RegisterKey<string>("<snip>");
})
.AddRemoteAppClient(options =>
{
options.RemoteAppUrl = new(builder.Configuration["ProxyTo"]);
options.ApiKey = builder.Configuration["ProxyApiKey"];
})
.AddAuthenticationClient(isDefaultScheme: true)
.AddSessionClient();
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = "/Account/Login"; // Redirect to login page
});
builder.Services.AddAuthorization();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.UseSystemWebAdapters();
builder.Services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(30); // Set session timeout
options.Cookie.HttpOnly = true; // Protect from JavaScript access
options.Cookie.IsEssential = true; // Required for GDPR compliance
});
app.MapForwarder("/{**catch-all}", app.Configuration["ProxyTo"], forwarderRequestConfig)
.Add(static builder => ((RouteEndpointBuilder)builder).Order = int.MaxValue);
My global.asax.cs looks like this
protected void Application_Start()
{
ApiSetup.Run();
WebSetup.Run();
string timestamp = DateTime.Now.ToString("yyyy-MM-dd_HH-mm-ss");
Trace.Listeners.Add(new TextWriterTraceListener(Path.Combine(@"C:\WebLogs", $"logfile-{timestamp}.txt")));
Trace.AutoFlush = true;
Trace.WriteLine("Application Started");
SystemWebAdapterConfiguration.AddSystemWebAdapters(this)
.AddJsonSessionSerializer(options =>
{
options.RegisterKey<string>("<snip>");
})
.AddRemoteAppServer(options =>
{
options.ApiKey = ConfigurationManager.AppSettings["ProxyApiKey"];
})
.AddAuthenticationServer()
.AddSessionServer();
}
Exceptions (if any)
I am not totally sure about this because I have not done exhaustive testing but I have noticed that controllers of type System.Web.Http.ApiController on .net framework side are the ones who fail auth but the controllers of type System.Web.Mvc.Controller seems to be working fine.
Further technical details
Please include the following if applicable:
ASP.NET Framework Application:
- Technologies and versions used (i.e. MVC/WebForms/etc): MVC
- .NET Framework Version: 4.8
- IIS Version:
- Windows Version:
ASP.NET Core Application: MVC
- Targeted .NET version: 8.0
- .NET SDK version: 8.0