Forms Authentication across virtual directories

Question

I am trying to share forms auth from a root application to a sub application running in a virtual directory. I am having trouble with authentication in the subsite.

In the parent application everything works as expected.

I have the following setup:

Parent application:

• URL: http://localhost:1336/
• <forms loginUrl="~/account/sign-in" protection="All" timeout="30" name=".MYAPPLICATION" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects="true" defaultUrl="/" />

Virtual Directory:

• URL: http://localhost:1336/subsite
• <forms loginUrl="/account/sign-in" protection="All" timeout="30" name=".MYAPPLICATION" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects="true" defaultUrl="/" />

When i try to a http://localhost:1336/subsite I get the following flow:

• GET for http://localhost:1336/subsite -> 302 to /account/sign-in?ReturnUrl=%2fsubsite (looks ok)
• Enter User/password
• POST to http://localhost:1336/account/sign-in?ReturnUrl=%2fsubsite -> 302 /subsite (great the auth looks like its successful)
• GET for http://localhost:1336/subsite -> 302 to /account/sign-in?ReturnUrl=%2fsubsite (IE the subsite doesnt think its authenticated)

Also i can see the cookie in the list in my browser (so its actually there)

What have I got wrong in my config that's stopping my subsite from sharing the parent cookie?

I am running this on IISExpress

Answer 1

In your web.config files, set a common machine key between the projects so that the 2 domains share validation and decryption keys.

example:

<machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7" 
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>