Asp.net share forms authentication by two applications in the same domain

2
votes

I have two applications in the same domain: mydomain/app1 and mydomain/app2, and I need to share authentication between them. One app is in Asp.Net WebForms, and the second is using WebApi2.

I configured web.config like below:

App1:

<authentication mode="Forms">
  <forms loginUrl="/Login.aspx" defaultUrl="/Default.aspx" name=".ASPXFORMSAUTH" protection="All" cookieless="UseDeviceProfile" slidingExpiration="true" path="/" domain="mydomain" requireSSL="false" timeout="60" enableCrossAppRedirects="false">
  </forms>
</authentication>
<authorization>
  <deny users="?" />
  <allow users="*"/>
</authorization>
<machineKey validationKey="generated key1" decryptionKey="generated key2" validation="SHA1"/>

App2:

<authentication mode="Forms">
  <forms loginUrl="/index.html" defaultUrl="/index.html" name=".ASPXFORMSAUTH" protection="All" cookieless="UseDeviceProfile" slidingExpiration="true" path="/" domain="mydomain" requireSSL="false" timeout="60" enableCrossAppRedirects="false">
  </forms>
</authentication>
<authorization>
  <deny users="?" />
  <allow users="*"/>
</authorization>
<machineKey validationKey="generated key1" decryptionKey="generated key2" validation="SHA1"/>

I am signing into app1 and observe the cookie content. Then I am requesting an URL from app2 in another browser tab. The cookie (name and content) in the second tab is the same as in the first one. I expect that the request from the second tab to be authenticated by the app2 since the cookie is already authenticated by the app1. Yet, this is not happening, and I am redirected to the login page of app2.

1
asp.netauthenticationcookiessubdomainforms-authentication
One of possible reasons would be to have different versions of .NET (2 vs 4) or different architecture (32bit vs 64bit) on both servers. - Wiktor Zychla
They are on same server, but different .NET Framework( 4 and 4.5) - Bogdan
That's it. They've changed the encryption between 4 and 4.5. You can either make both running under the same .net or turn on the compatibility on the 4.5 site by adding an attribute to your machine key config node social.microsoft.com/Forums/en-US/… - Wiktor Zychla
Yes, you are right. Please post-it like answer (not like comment) to can vote it. - Bogdan

1 Answers

3
votes

As suggested by the OP, here is the answer that works in that case.

They've changed the cookie encryption between 4 and 4.5. You can either make both running under the same .net or turn on the compatibility on the 4.5 site by adding an attribute to your machine key config node.

https://social.microsoft.com/Forums/en-US/1791c5e3-4087-4e92-a460-51c5c4221f49/any-forms-auth-changes-in-45?forum=Offtopic