Forms Authentication Across Applications

ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.

Configuring Forms Authentication Across Applications

To configure forms authentication across applications, you set several attributes in the forms and machineKey configuration sections so that the values are the same for all applications participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation keys and the encryption scheme and validation scheme used for cookie data must be exactly the same. If the settings do not match, cookies cannot be shared.


Applications running ASP.NET version 2.0 can share forms authentication ticket information with earlier versions of ASP.NET provided you include decryption="3DES" in your machineKey element configuration for each ASP.NET version 2.0 application.

    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        timeout="30" />

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
      validationKey="[your key here]" 
      decryptionKey="[your key here]" 
      validation="SHA1" />

After a cookie has been issued, expiration of the cookie is tracked based on the Expires value in the cookie itself. This means that if two applications have different Timeout attributes, the expiration date and time that was set when each cookie was originally issued are retained throughout the lifetime of the cookie. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time the configuration Timeout value is used is when the cookie is initially created.

See Also