Web developers tend to develop more than one application at a time…Mauro…have you discovered the hot water?

If in our web application we are leveraging the power of Windows Identity Foundation, and maybe of the Windows Azure ACS, we end up using the powerful “Identity and Access” Visual Studio extension to manage the WIF configuration and as soon as we discover the LocalSTS, that comes with the extension, we perform a standing ovation and round trip of the house running on knees :-)

The problem we can face is that since everything, every web application we are developing, is running on localhost we and up with a mess due to cookies from different web sites, and thus with different authentication tokens, flowing all around in all web applications we are working on.

Set the cookie path, Luke…

The solution is trivially easy:

<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/myWebApplication/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry,
System.IdentityModel, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089"
>
<trustedIssuers>
<add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" path="/myWebApplication" />
<wsFederation passiveRedirectEnabled="true"
issuer="http://localhost:14342/wsFederationSTS/Issue"
realm="https://localhost/myWebApplication/"
reply="https://localhost/myWebApplication/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

in order to avoid “cookie confusion” is it enough to set the path attribute of the cookieHanlder element.

.m