Cross-Application Forms Authentication

I've seen some confusion about how and whether you can have a user who has been "Forms-Authenticated" on one application or site be able to go to or be redirected to another application or site (or the "same" application on a web farm, which is essentially the same situation) and not have to re-authenticate.

ASP.NET 2.0 sports a new Forms Auth property, "EnableCrossAppRedirects". This can be set in the Forms Authentication web.config node, e.g.,

enableCrossAppRedirects="true" />

The way this works is that the EnableCrossAppRedirects property is checked within the RedirectFromLoginPage method when the redirect URL does not point to a page in the current application. If EnableCrossAppRedirects is true, then the redirect is performed; if EnableCrossAppRedirects is false, the browser is redirected to the page defined in the DefaultUrl property.

However, this is not sufficient to get you to "First Base". The name, protection, path, validationKey, and decryptionKey attributes must all be identical across all applications. In addition, the encryption and validation keys and the encryption scheme used for cookie data must be exactly the same. If the settings do not match, cookies can't be shared, and cross-app authentication won't work.

Here is an example web.config snippet:

<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
timeout="30" />

<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation algorithm must also
be the same. -->
<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D940
validation="SHA1" />

I wrote an article about this a long time ago, it' still valid today. There is also a sample page that will generate a machinekey element for you here.