Cross-Domain Cookie with Legacy Applications

Writing modern web applications is easy, but what happens when you need to interface with a legacy application and cookies are required? Today, I explain the gotchas with cross-domain applications.

Written by Jonathan "JD" Danylko • Last Updated: April 18^th, 2016 • Develop •

Brick wall with someone holding their head

Once you create your first ASP.NET MVC application, it's a great feeling.

You've created something out of nothing!

Creating a new application is easy.

However, integrating a brand new ASP.NET MVC website with a legacy website can be a challenge.

Our said challenge was an older WebForms application using ASP.NET 2.0 and we wanted (no, needed) to give the application a face lift, but it's not recommended that we rewrite the monolith. It would take years for this to be rewritten.

So how can we fix up this "old and busted" WebForms monolith?

Old and Busted...New Hotness (Scene from Men in Black II)

Branch by Abstraction

Martin Fowler mentioned a technique called Branch by Abstraction and seemed like a suitable way for us to proceed with this particular application.

The idea behind the technique is to move specific parts of the monolith over to the "new hotness" and slowly disconnect and dissolve the old feature in the monolith.

I understand one alternative is to use microservices to break apart the monolith, but this particular application presents a difficult way for us to decouple a large amount of untested, WebForm code.

Again, it's definitely a challenge.

Cross-Domain Headaches

As of this last week, I hit my head against the first problem.

The older WebForms application wasn't really an application, it was an ASP.NET WebSite. Not a "web application."

Since we had this older WebForms web site project, the team needed a way to cleanly add an ASP.NET MVC application.

The WebForms application uses the Microsoft Membership and requires a cookie passed across the application.

But we're building a new ASP.NET MVC application and cookies don't travel across domains.

So how do you pass those credentials from an MVC application over to the older application without adding any additional code to the older WebForms app?

The solution we came up with is to create the application on a subdomain so the cookie works across domains.

This solved the issue of our applications working together seamlessly.

Now...for the gotchas

After implementing a subdomain for my local dev box, I was off and running.

I had the following domains working on my system for testing.

website1.localhost.com:888

website2.localhost.com:888

Fast-forward to Friday last week.

After a number of StackOverflow posts, here are the three things I learned over the week.

1. MachineKey

Make sure you have the machinekey element in your <system.web> section of your web.config.

  <machineKey validationKey="yourKeyHere" decryptionKey="yourOtherKeyHere"
                validation="SHA1" compatibilityMode="Framework20SP2" />

The ValidationKey and DecryptionKey has to be the same in both of your applications' web.configs.

NOTE: The missing piece to make the cross-domain membership work with the older WebForms was the compatibilityMode attribute. Once that attribute was added, the cookie persisted across the domain.

2. Add the enableCrossAppRedirects attribute to your Forms Element

In your system.web section, add an authentication element with forms.

  <forms loginUrl="yourLoginUrl"
             name=".MYFORMSAUTHNAME"
             timeout="30" cookieless="UseCookies"
             domain=".localhost.com"
             enableCrossAppRedirects="true" />

One of the gotchas I experienced was the enableCrossAppRedirects="true" (obviously).

If you don't have this attribute, it won't redirect properly.

3. Lastly, add the domain

The domain attribute is also a critical component.

  <forms loginUrl="yourLoginUrl"
               name=".MYFORMSAUTHNAME"
               timeout="30" cookieless="UseCookies"
               domain=".localhost.com"
               enableCrossAppRedirects="true" />

The leading period is required when using subdomains so the cookie can travel between the applications.

Conclusion

The amount of effort it took for this to be implemented was contingent upon typing in the right Google keywords to find the solution.

I wanted to post this particular story of using cross-domain cookies with legacy applications so no one has this same issue in the future.

After implementing everything described above, I can now log into an ASP.NET MVC and automatically go to the primary screen in the WebForms application.

UPDATE: I also want to thank the parties involved with this question on StackOverflow. This was one of those well-placed keyword searches in Google to find the right answer.

Was this a good way to enhance this application? Would it have been better to rewrite the whole WebForms applicatiion? Post you thoughts below.

Did you like this content? Show your support by buying me a coffee.

Buy me a coffee

Jonathan Danylko is a web architect and entrepreneur who's been programming for over 25 years. He's developed websites for small, medium, and Fortune 500 companies since 1996.

He currently works at Insight Enterprises as an Principal Software Engineer Architect.

When asked what he likes to do in his spare time, he replies, "I like to write and I like to code. I also like to write about code."

comments powered by Disqus

What's New

January 10^th, 2024

Added more reviews for my latest book, "ASP.NET 8 Best Practices."
June 22^nd, 2023

Amazon posted the pre-order page for my book (and yes, I'm freaking out a bit).
May 26^th, 2023

Added the Stir Trek 2023 videos link to the post.
November 3^rd, 2022

Updated Technology Trends for Developers by adding the Web Almanac (State of the Web Report)
July 4^th, 2022

Taking it easy today...Happy 4th of July everyone!
June 15^th, 2022

Yikes! My first vidcast EVER! Thanks Ed for the opportunity.
March 14^th, 2022

Updated Collection:Git Resources for Beginners w/ 20 Git Commands for Beginners
March 14^th, 2022

Updated Collection: Web API Best Practices w/ How to design REST APIs and The 10 REST Commandments.
December 17^th, 2021

Taking the standard two weeks off to recharge; See you next year! ;-)
June 1^st, 2021

Add Container Queries to Collection: CSS Resources.

Welcome

Jonathan Danylko Hi! Welcome to DanylkoWeb. This is the PERSONAL web site of Jonathan "JD" Danylko where I focus on Microsoft web technologies including ASP.NET using C#, Web Performance, Code Exorcisms (refactorings), and business lessons learned over a period of 30 years of programming.

I've also collected the best ways to learn C#.

If you have any questions, feel free to contact me.

Search

Morning Coffee Link

April 26^th, 2024Implement a secure Blazor Web application using OpenID Connect and security headers

View All

Be Social

Follow my blog with Bloglovin

Latest Book

Amazon Unbound

By Brad Stone

ISBN: 1398500976 / 978-1398500976

See the latest books I've read at the Reading Corner.