Catching the System.Web/Owin Cookie Monster

CookieMonster-SittingCookies set through the Owin API sometimes mysteriously disappear. The problem is that deep within System.Web, there has been a cookie monster sleeping since the dawn of time (well, at least since .NET and System.Web was released). The monster has been sleeping for all this time, but now, with the new times arriving with Owin, the monster is awake. Being starved from the long sleep, it eats cookies set through the Owin API for breakfast. Even if the cookies are properly set, they are eaten by the monster before the Set-Cookie headers are sent out to the client browser. This typically results in heisenbugs affecting sign in and sign out functionality.


The problem is that System.Web has its own master source of cookie information and that isn’t the Set-Cookie header. Owin only knows about the Set-Cookie header. A workaround is to make sure that any cookies set by Owin are also set in the HttpContext.Current.Response.Cookies collection.

This is exactly what my Kentor.OwinCookieSaver middleware does. It should be added in to the Owin pipeline (typically in Startup.Auth.cs), before any middleware that handles cookies.


The cookie saver middleware preserves cookies set by other middleware. Unfortunately it is not reliable for cookies set by the application code (such as in MVC Actions). The reason is that the System.Web cookie handling code might be run after the application code, but before the middleware. For cookies set by the application code, the workaround by storing a dummy value in the sessions is more safe.

Using Owin External Login without ASP.NET Identity

ASP.NET MVC5 has excellent support for external social login providers (Google, Facebook, Twitter) integrating with the ASP.NET Identity system. But what if we want to use external logins directly without going through ASP.NET Identity? Using external logins together with ASP.NET Identity is very simple to get started with, but it requires all users to register with the application. External logins are just another authentication method against the internal ASP.NET Identity user. In some cases there is no need for that internal database, it would be better to get rid of it and use the external login providers without ASP.NET Identity. That’s possible, but requires a bit of manual coding.

For public facing web applications I think that it is often a good idea to use ASP.NET Identity as it doesn’t tie the user to a specific login provider. But if we are fine with using one and only one specific login provider for each user it’s possible to skip ASP.NET Identity. It could be an organization that heavily relies on Google Apps already so that all users are known to have Google accounts. It could be an application that uses SAML2 based federative login through Kentor.AuthServices.

In this post I’ll start with a freshly created ASP.NET MVC Application without any authentication at all and make it use Google authentication, without ASP.NET Identity being involved at all. The complete code is available on my GitHub account.

Kentor.AuthServices 0.9.0 SAML2 for ASP.NET Released

The Kentor.AuthServices SAML2 Service Provider has got one important improvement for simplified operations: automatic metadata refresh. Identity providers and federations configured by loading metadata are now automatically refreshed based on the cache duration settings in the received metadata. Especially for federation setups this significantly simplifies the operations. When new identity providers are added to the federation, those are automatically made available in AuthServices and any removed identity providers are pruned from the active list.

The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.


  • Automatic refresh of metadata.
  • StubIdp metadata contains cacheDuration
  • Configuration option for metadataUrl for identity providers.
  • returnUri renamed to returnUrl in configuration.

Solving the set Startup Projects bug in Visual Studio

This is a guest post by Albin Sunnanbo sharing how a mysterious Visual Studio problem made the Set Startup project command fail.

In one of our projects at work we had this mysterious problem with Visual Studio, both 2012 and 2013. It happened to some developers and some machines. When I got a new computer a while ago I was hit with this dreaded bug too. This is a story about how to use available clues to succeed with solving even the strangest problems.

When trying to set multiple startup projects in Visual Studio we right click solution, click Set StartUp Projects…
and expect the familiar dialog to pop up. But no, the menu disappears and then nothing happens. No dialog. Nothing.
If we click Properties instead we get an ugly dialog with the text “Object reference not set to an instance of an object.”

That poor dialog is pretty famous, it got something like a quarter of a million hits on Google. More than I’ll ever get.
Nothing on the top five Google pages seemed to help. We finally found a workaround. Uninstall NuGet package manager, set your startup projects, reinstall NuGet package manager. Not particularly elegant, but at least we could proceed with our regular work.

Kentor.AuthServices 0.8.0 SAML2 for ASP.NET Released

We continue to improve the Kentor.AuthServices SAML2 Service Provider for ASP.NET with the release of version 0.8.0. With this release the entire configuration system has been rebuilt, to enable configuration from other sources than the config file. This is good news for anyone thinking of integrating Kentor AuthServices in an application where configuration is offered through a user interface. There has also been further support for federations added, with administrative metadata now being exported as well as support attribute consuming services and the Idp discovery extensions to metadata.

The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.


  • Automatic generation of service provider URLs, removing configuration.
  • Configuration can now be supplied from code and not only in config file.
  • Administrative metadata (organization and contactPerson) support.
  • Serialization of SAML Attributes.
  • Support for Bootstrapcontext, saving incoming assertion in the resulting identity.
  • Fixed new principal returned by ClaimsAuthenticationManager being ignored.
  • Attribute consuming service support in metadata and AuthnRequest.
  • Discovery service response location included in metadata if use of discovery service is enabled.
  • Fixed null reference exception on HTTP POST with owin middleware.
Software Development is a Job – Coding is a Passion

I'm Anders Abel, a systems architect and developer working for Kentor in Stockholm, Sweden.

profile for Anders Abel at Stack Overflow, Q&A for professional and enthusiast programmers

The complete code for all posts is available on GitHub.

Popular Posts



Powered by WordPress with the Passion for Coding theme.