Forms Authentication Across Applications
ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.
Configuring Forms Authentication Across Applications
To configure forms authentication across applications, you set several attributes in the forms and machineKey configuration sections so that the values are the same for all applications participating in shared forms authentication.
The following example shows thesection of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation keys and the encryption scheme and validation scheme used for cookie data must be exactly the same. If the settings do not match, cookies cannot be shared.
Applications running ASP.NET version 2.0 can share forms authentication ticket information with earlier versions of ASP.NET provided you include decryption="3DES" in your machineKey element configuration for each ASP.NET version 2.0 application.
<configuration> <system.web> <authentication mode="Forms" > <!-- The name, protection, and path attributes must match exactly in each Web.config file. --> <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" protection="All" path="/" timeout="30" /> </authentication> <!-- Validation and decryption keys must exactly match and cannot be set to "AutoGenerate". The validation and decryption algorithms must also be the same. --> <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> </system.web> </configuration>
After a cookie has been issued, expiration of the cookie is tracked based on thevalue in the cookie itself. This means that if two applications have different attributes, the expiration date and time that was set when each cookie was originally issued are retained throughout the lifetime of the cookie. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time the configuration Timeout value is used is when the cookie is initially created.