Home Umbraco Web API - Cookie Authentication
Reply: 1

Umbraco Web API - Cookie Authentication

booler Published in 2017-03-28 10:17:47Z

I'm using Umbraco 7.5 with an OWIN startup class.

Despite the shortcomings with using cookie auth, I'm trying to share the cookie auth between both MVC and Web API.

I have this in my OWIN startup class:

private static void ConfigureAuth(IAppBuilder app)

    CookieSecureOption secureCookieOption = CookieSecureOption.SameAsRequest;
    secureCookieOption = CookieSecureOption.Never;

    app.UseCookieAuthentication(new CookieAuthenticationOptions
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        AuthenticationMode = AuthenticationMode.Active,
        LoginPath = new PathString("/Account/Login"),
        CookieSecure = secureCookieOption,
        CookieManager = new ChunkingCookieManager(),
        Provider = new CookieAuthenticationProvider()
        }, PipelineStage.Authenticate);

    //configure B2C OAuth middleware
    foreach (string policy in AppSettings.B2CPolicies)

    // Use a cookie to temporarily store information about a user logging in with a third party login provider

This works fine as far as the Umbraco & custom MVC pages are concerned - the current user identity is available and the Umbraco helper methods work as expected.

However for Web API controllers - whether derived from UmbracoApiController or just ApiController, the current user identity on the HTTP Context is always null. I have checked the browser request being sent for to the API controllers, and the ASPNET identity cookie is included, so I'm confused as to why this doesn't translate to a user identity on the thread & httpcontext. Anyone able to shed some light on that?

Edit: some more info on this- I tried creating my own custom cookie authentication middleware and replaced the standard MS CookieAuthenticationHandler with my custom implementation so that I could trace the calls through it. Interestingly, for a normal MVC page, the AuthenticateCoreAsync method is invoked as the page loads, which successfully reads the cookie and returns a valid authentication ticket. For the Web API call, the AuthenticateCoreAsync method is not invoked at all before the API method is hit.

Community Reply to 2017-05-23 12:17:26Z

I found the answer to this - it was nothing to do with OWIN, and everything to do with my Web API initialization code. I was mixing the code required for self-hosting Web API with the code required to get Web API running as part of the MVC app. Instead of IAppBuilder.UseWebApi() I should have been using GlobalConfiguration.Configure()

So the working code looks something like this:

public static void Configure(IAppBuilder app)

private static void Register(HttpConfiguration config)



A similar issue was encountered in this SO question.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.306111 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO