Sharing Authentication Cookie in ASP.NET 5 across subdomains -

i have 2 asp.net 5 mvc 6 applications.

one running @ www.mydomain.tld , 1 @ world1.mydomain.tld.

if user gets logged in on www subdomain's application, want logged in on world1 subdomain's application well. login realized asp.net identity 3.

i've set both applications in startup.cs follows:

public void configureservices (iservicecollection services) {     // [...]      services.addcaching();     services.addsession(         options => {             options.cookiedomain = ".mydomain.tld";             options.idletimeout = timespan.fromminutes(30);         }     );      // [...] }  public void configure (iapplicationbuilder app, ihostingenvironment env, iloggerfactory loggerfactory) {     // [...]      app.usecookieauthentication(null, identityoptions.externalcookieauthenticationscheme);     app.usecookieauthentication(null, identityoptions.twofactorremembermecookieauthenticationscheme);     app.usecookieauthentication(null, identityoptions.twofactoruseridcookieauthenticationscheme);     app.usecookieauthentication(         config => {             config.cookiedomain = ".mydomain.tld";         },         identityoptions.applicationcookieauthenticationscheme     );      // [...] } 

i've set machine key of both applications via web.config follows:

<?xml version="1.0" encoding="utf-8"?> <configuration>   <system.web>     <machinekey decryption="aes"                 decryptionkey="some decryption key"                 validation="hmacsha256"                 validationkey="some encryption key" />   </system.web> </configuration> 

logging in on www subdomain works, accessing sites on world1 subdomain doesn't work, because authentication cookie not being recognized valid login cookie.

what doing wrong?

apps automatically isolated 1 another. need ensure 3 things;

1. they use same key store
2. they use same application id.
3. they're in same app pool, or identity on each pool identical.

apps running on same host, under same hosting mechanism use same key store. if these on separate machines need use key store on network drive, or other shared place such azure blob storage.

in order set application id common both applications need configure data protection stack.

for example,

public void configureservices(iservicecollection services) {     services.adddataprotection();     services.configuredataprotection(configure =>     {         configure.setapplicationname("my application");     }); } 

if need run applications different users need change how keys protected either use machine level dpapi or x509 certificate.

you don't need machine key entry in web.config, machine key no longer users.