Web applications under same domain override each other authenticated session

Problem Statement

We have two ASP.NET websites using OWIN that are deployed under the same domain in IIS as separate applications. Each website is accessed in sequence and in different browser tabs which allows for user authentication to be completed with the success in both. However, when returning to the first site that was accessed, the authenticated session is lost.


When the issue occurs, through debugging the impacted applications, it seems that User.Identity becomes unauthenticated.


For each web application, we should capture HTTP trace with all the steps from the initial login until the session is lost event. Given that, generally, the OWIN web application will maintain an authenticated session through cookies. We should review both traces to confirm if each application is setting cookies in a way that overrides cookies set by the other application.


By default, OWIN CookieAuthenticationOptions implies that the cookie will be named .AspNet.Cookies and that will be set at the root path “/”. This means that in a scenario where two applications are deployed under the same domain (in separate paths), the cookie set by each application will override the other one because the name is the same and the cookie is set at the domain root path.


Each application should guarantee that cookies have a unique name that does not clash with the other application cookies or ensure that cookies are set with a Path component specific to the respective application. In the context of OWIN authentication, we can customize cookie configuration through CookieAuthenticationOptions

CookieAuthenticationOptions Properties (Microsoft.Owin.Security.Cookies) | Microsoft Learn