Asp.Net appears to drop the FormsAuthenticationCookie in same domain

Question

I have a pair of websites I am building in Asp.Net. In development, they are both on my machine. One is hosted in IIS and one is in IISExpress. I have configured both websites to use FormsAuthentication, and set the same authentication and httpCookies elements in each web.config:

<authentication mode="Forms">
  <forms loginUrl="~/LogOn" timeout="2880" domain=".mydomain"  />
</authentication>

<httpCookies domain=".mydomain" requireSSL="false"/>

However, after a standard FormsAuthentication.SetAuthCookie , the second site cannot read the .ASPXAUTH cookie from the first. It CAN read the same Asp.Net_SessionID cookie from the other website. So, one cookie is being passed across applications, but the second is not.

Additionally, when the debugger is attached to the second application and it receives the redirect from the from the first site, the Chrome debugger shows both cookies, Fiddler reports that both cookies were transmitted, and the Response.Headers["cookie'] contains the .ASPXAUTH cookie.

How can I effect this cross-application sign-on? In production, these two sites will answer on separate sub-domains.

Answer 1

I've found the answer to my problem.

IISExpress and IIS use separate MachineKey values, even though they are originating on the same physical machine. To solve my problem, I generated a MachineKey entry at http://aspnetresources.com/tools/machineKey and dropped the same MachineKey element into all participating application's web.config files.

Thanks to Robert Smith @smithrobs on Twitter for suggesting I check this line of the problem.