ASP.NET
Forms Authentication Across Applications

Updated: July 2009

ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.

Configuring Forms Authentication Across Applications

To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation key values and the encryption scheme and validation scheme used for authentication tickets (cookie data) must be the same. If the settings do not match, authentication tickets cannot be shared. For information about how to generate values for the validationKey and decryptionKey attributes, see How To: Configure MachineKey in ASP.NET 2.0. (This topic applies to ASP.NET version 2.0 and to later versions.)

NoteNote:

Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        name=".ASPXFORMSAUTH" 
        protection="All"  
        path="/" 
        domain="contoso.com" 
        timeout="30" />
    </authentication>

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
    <machineKey
      validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" 
      decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" 
      validation="SHA1" />
  </system.web>
</configuration>
NoteNote:

You can omit the domain attribute of the forms tag if there is only one Web site on the server.

After an authentication ticket (cookie) has been issued, expiration of the cookie is tracked based on the Expires value in the cookie itself. If two applications have different Timeout attributes, the expiration date and original timestamp are retained through each cookie's lifetime. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time that the configuration Timeout value is used is when the cookie is initially created.
Forms Authentication and the Authentication Service

You can also authenticate users across applications by using the authentication service. The authentication service enables you to use forms authentication from any application that can send and consume messages in SOAP format. For more information, see Windows Communication Foundation Authentication Service Overview.
See Also

Tasks

How to: Implement Simple Forms Authentication

Other Resources

ASP.NET Web Application Security
Change History

Date

History

Reason

July 2009

Added a link to a topic that explains how to generate key values.

Customer feedback.

April 2009

Added domain attribute and a note about it.

Customer feedback.

Tags :


Community Content

artofthemix
If you need to generate a machine key, here's the code
Not sure why this article isn't cross referenced: http://msdn.microsoft.com/en-us/library/ms998288.aspx It has the code for generating the keys:

Generate Cryptographically Random Keys

To generate cryptographically random keys:

  • Use the RNGCryptoServiceProvider class to generate a cryptographically strong random number.
  • Choose an appropriate key size. The recommended key lengths are as follows:
    • For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters).
    • For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters).
    • For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters).

The following code shows how to generate random key values. Compile the code to create a console application, and then pass the required key size as a command line argument expressed as the desired number of hexadecimal characters. Each byte is represented by two hexadecimal characters; therefore, to request a 32-byte key, pass 64 as a command line argument. If you do not specify an argument, the code returns a 128 hexadecimal character (64-byte) key.

C# Example

using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;

class App {
  static void Main(string[] argv) {
    int len = 128;
    if (argv.Length > 0)
      len = int.Parse(argv[0]);
    byte[] buff = new byte[len/2];
    RNGCryptoServiceProvider rng = new 
                            RNGCryptoServiceProvider();
    rng.GetBytes(buff);
    StringBuilder sb = new StringBuilder(len);
    for (int i=0; i<buff.Length; i++)
      sb.Append(string.Format("{0:X2}", buff[i]));
    Console.WriteLine(sb);
  }
}

Visual Basic Example

Imports System
Imports System.Text
Imports System.Security
Imports System.Security.Cryptography

Module App
    Sub Main(ByVal argv() As String)
        Dim len As Integer = 128
        If argv.Length > 0 Then
            len = Integer.Parse(argv(0))
        End If
        Dim buff(len / 2) As Byte
        Dim rng As New RNGCryptoServiceProvider()
        rng.GetBytes(buff)
        Dim sb As New StringBuilder(len)
        Dim i As Integer
        For i = 0 To buff.Length - 1
            sb.Append(String.Format("{0:X2}", buff(i)))
        Next i
        Console.WriteLine(sb)
        Console.ReadLine()

    End Sub 'Main
End Module

Run the application two times, and then copy and paste the resulting keys into the <machineKey> element—one time for validationKey and the other time for decryptionKey.

Sharing Authentication Tickets Across Applications

If you need a single logon to work across multiple applications located in separate virtual directories, you need to share a common authentication ticket. To configure a common authentication ticket, you must manually generate validationKey and decryptionKey values and ensure that each application shares these values.

If you want to share tickets across all applications on your server you can set these manual values on the <machineKey> element in the machine level Web.config file. To share tickets across specific applications, you can use a <machineKey> element with common validationKey anddecryptionKey values in the relevant application's Web.config files.

Tags : cpubfix

Page view tracker