Forms authentication between applications

Question

I have a ASP.NET application with Forms authentication. I also have a subfolder setup as a separate application (not virtual directory), using the same application pool and using the same web.config authentication settings.

For some reason I don't understand, these two applications do not share the same authentication. For instance, FormsAuthentication.SetAuthCookie seems to work independently, and User.Identity.Name returns different values in the two applications.

My question is, how can they share the same authentication? I want to login into one app, and appear under the same identity on the other. I can see the .ASPAUTH cookie has the same value (obviously, since they are under the same domain). But how would single sign-on work?

Thanks Themos

Answer 1

Even though the Applications are in the same AppPool, the machine keys are different for the two. Typically, the authentication cookie is encrypted with the machine key.

The default behavior for machine key's is to use IsolateApps, which generates a different machine key per IIS site application, not application pool.

Since you have two different machine keys, they cannot decrypt the authentication cookie between applications. You need to add a static machine key (that is the same) for both applications.

You can use sites like this one to generate your own machine key.

Additionally the MSDN article, Forms Authentication Across Applications also specifies the settings that need to match between the two applications.