AuthUserSession across multiple application

kebin · July 10, 2017, 10:03pm

How can I share AuthUserSession across multiple applications under the same root domain? i.e we already have an mvc+servicestack application running (test.com) and now are adding another mvc application using asp.net core at two.test.com. Users authenticate at test.com.

I’ve done the following:

Using OrmLiteCacheClient for shared session/cache
Session cookie is shared via browser(RestrictAllCookiesToDomain) and null for localhost
I can see that two.test.com is receiving session cookie set by test.com
two.test.com’s controllers are derived from ServiceStackController

In two.test.com, SessionFeature.GetSessionKey() throws - NotImplementedException: This AppHost does not support accessing the current Request via a Singleton

Shouldn’t the Session be populated in two.test.com?

Thanks!

mythz · July 10, 2017, 10:13pm

You can only call SessionFeature.GetSessionKey() without the request context in ASP.NET .NET 4.5 Apps, in other AppHosts you need to provide the IRequest context for the current request.

kebin · July 10, 2017, 10:29pm

Got it! Thanks.

How can I use [Authenticate] / [Authorize] attributes in my controller in two.test.com? how can I ensure that the current user’s session is loaded from the session/cache and those attributes play well?

mythz · July 11, 2017, 12:04am

Have you tried adding it to your ServiceStackController classes?

kebin · July 11, 2017, 12:13am

Yes. I took a .net core sample from the github, changed from memory cache to PostgreSQL cache. Running two applications on localhost. First application logs a user in and sets the session cookie on localhost. I see active session in the db.

On the second application(core), when a request hits an action/ controller with Authenticate attribute, it redirects to sign in.

mythz · July 11, 2017, 12:17am

When you hit /auth endpoint from the second App do you get the session or a 401 response?

kebin · July 11, 2017, 12:36am

Hmm I’m not sure if I understand this correctly. So regardless of whether a user has been authenticated from the first endpoint or not, I’d still need to /auth the user in the second endpoint?

mythz · July 11, 2017, 12:52am

No that’s just used to check whether ServiceStack thinks you’re authenticated or not? i.e. whether the issue is in your configuration or in ServiceStackController’s .NET Core impl.

kebin · July 11, 2017, 1:42am

I’m getting an 401.

The home page on the sample todo tells me I am not.
ServiceStack Status (Ajax)
Not Authenticated

/session has IsAuthenticated: false.

The session is active in cache_entry table. First endpoint is authenticated, second(.net core) is not.

mythz · July 11, 2017, 1:49am

If you’re getting a 401 ServiceStack is indicating that the Session Id provided doesn’t point to an Authenticated User Session.

Check the HTTP Request Headers for both Apps to ensure they contain the exact same Session Cookies
Check that your Auth/Cache configuration is exactly the same
Check that this returns a valid User Session in both apps:

var sessionId = req.GetSessionId(); // or try hard-coded sessionId string
var sessionKey = SessionFeature.GetSessionKey(sessionId);
var session = req.GetCacheClient().Get<IAuthSession>(sessionKey);

kebin · July 11, 2017, 2:45am

All three looked good. The issue was that sample app had CustomUserSession and therefore ‘__type’ in the stored session was not matching with my app. Worked after fixing this! Is there a way to get around this without having to share the same type?

Thanks a lot!

mythz · July 11, 2017, 2:51am

Leave it as the default AuthUserSession, i.e. don’t use a CustomUserSession. Also I don’t see how the Auth Configuration would be exactly the same in both Apps if they both didn’t have access to the same CustomUserSession.

kebin · July 11, 2017, 3:24am

Great. Thanks for the help! I love Servicestack and can’t wait for another .net core release targeting 2.0!