Home > Enterprise >  Multiple websites in IIS sharing same sessionids can´t be connected at same time
Multiple websites in IIS sharing same sessionids can´t be connected at same time

Time:09-17

I'm adding two websites in IIS. The code is the same but with different files. The problem is when you log on the first one and log on the second one, and after that, you try to do something on the first one looks like the session was cleared and the home page is showed again. Both are using same session variables. I'm also using JwtBearer.
How can I use both website at the same time?

Startup.cs:

 services.AddSession(options =>
  {
      options.IdleTimeout = TimeSpan.FromMinutes(300);
      options.Cookie.HttpOnly = true;
  });
    
  services.AddAuthentication(options =>   {
      options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
      options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;    })
      .AddIdentityServerJwt()
      .AddJwtBearer(x =>
        {
            x.RequireHttpsMetadata = false;
            x.SaveToken = true;
            x.TokenValidationParameters = new TokenValidationParameters
            {
               ValidateIssuerSigningKey = true,
               IssuerSigningKey = new SymmetricSecurityKey(key),
               ValidateIssuer = false,
               ValidateAudience = false,
               ValidateLifetime = true,       
             }; });

I'm using the session:

 IHttpContextAccessor.HttpContext.Session;

CodePudding user response:

You are using cookie for session identification. Browsers add cookies to request depending on url parts. If you are using the same server and the host name identical in url then the path part should be different in this usecase. This difference should be set on cookie too because the default path is empty on them. So if your two sites differ only in path but are using the same host name then the default cookie path doesnt allow the browser to differentiate.

Try setting options.Cookie.Path to appropriate roots of your sites.

2. If you find your session shared between two sites then you have an other problem too: are the two sites sharing the same execution environment (apppool)? Did you created just one site below IIS and placed the two apps below it just in different folders? This wont create the appropriate separation between apps. Create two apppools and assign them to the two apps.

  • Related