ASP.NET OWIN integration: request for clarification of the app.UseCookieAuthentication call

My ASP.NET site was integrated successfully with Auth0, and followed the code sample here: ASP.NET (OWIN) - Auth0 Docs . Login & logout worked correctly. At that time it was on .NET Fmk 4.7.2 & using Microsoft.Owin.X nugets version 4.2.2 and Microsoft.IdentityModel.X nugets version 5.7.0.

I then upgraded it to run under .NET Fmk 4.8 and updated Microsoft.Owin.X nugets to version 4.2.3 and Microsoft.IdentityModel.X nugets to version 8.4.0.

At this point the login flow stopped working … the site would redirect to Auth0, authentication completed OK in Auth0 and returned the user to the site, the site handled the redirect, read the claims etc, and attempted to log the user in (by setting a Forms Authentication ticket cookie). However the Forms Authentication cookie was dropped by the browser (see below) and the user was not logged in, leading them to be redirected back to Auth0 and back in an endless loop.

I figured out a solution, and think I understand why it works, but not sure if I have thrown out something valuable in the process.

In the original code, OWIN was configured to use cookie authentication as below (similar to here: ASP.NET (OWIN) - Auth0 Docs ):

            app.SetDefaultSignInAsAuthenticationType(Constants.AUTH_TYPE);
            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                    AuthenticationType = Constants.AUTH_TYPE,
                    CookieName = Constants.AUTH_COOKIE_NAME,
                });

The CookieName was set to the same name as the site’s Forms Authentication ticket cookie.

This worked OK, but after the upgrade I noticed that in the redirect from Auth0, there were 2 set-cookie headers for this cookie, then one would be dropped. I think one was set by OWIN, and one was set by my code to log the user into the site.

So basically the problem was that now there are 2 systems issuing cookies with the same name, in the same response, with different semantics. The browser kept only one, and not the one the site recognised for its authentication.

I played around for a long time with the SameSite settings and different CookieManager classes, but in the end the only thing that worked was to remove the app.UseCookieAuthentication call entirely. This stopped the duplicate cookies being issued, and the login & logout functionality are restored.

My only questions are - what was the purpose of the app.UseCookieAuthentication call as it is recommended in the documentation? Have I lost something, or is there no other solution if using Forms Authentication in the site?

Many thanks for any insight.

Hi @lneville

Welcome to the Auth0 Community!

If I am not mistaken, once you have integrate OWIN in your ASP.NET application, you would not need to rely or use the FormsAuthentication model to handle the session. By removing the cookie set by app.UseCookieAuthentication you only stopped the redundancy of the same cookie being applied twice and resolving the conflict where the browser was not being able to handle them, resulting in the issue that you were experiencing.

Also, I noticed that in the documentation you linked, there are no additional cookies being set with app.UseCookieAuthentication, most probably to avoid the issue you stated above if they were being set by a legacy model (FormsAuthentication in your case).

Since you have integrated OWIN, I believe you should not be using any other manuals calls of FormsAuthentication and rely only on the OWIN’s app.UseCookieAuthentication for session management in combination with the OIDC middleware. Of course, this might require significant refactoring of your application if it was built and still relies on FormsAuthentication. However, removing the redundant cookie will not affect your application since you are basically using the modern OWIN authentication pipeline with the legacy sessions of FormsAuthentication.

If you have any other questions, let me know!

Kind Regards,
Nik

Thanks Nik .. that’s what I figured. Its just weird now it worked before my upgrade. I guess back then 2 cookie were also being set, but the one the browser dropped was the OWIN one, and after the upgrade the one that was dropped was the one the site set for Forms Auth.