How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications
ASP.NET V1.0 introduced a powerful forms-authentication model that provides the infrastructure plumbing necessary to issue authentication tickets to incoming browsers as http cookies, and then automatically decrypt them on each request so that you can identify who the incoming browser user is.
ASP.NET V2.0 has made this much more powerful and easier by providing built-in support for storing, managing and verifying username/password credentials using the new Membership system (so that you no longer need to manually create and validate usernames/passwords in a database). ASP.NET V2.0 also ships with a built-in role management system, as well as a suite of Login controls to enable you to declaratively authenticate and manage users on the system. This blog post I did from a few months ago goes into more detail on how easy it is to use this.
One of the questions I've been asked a few times is whether it is possible to share the forms-authentication ticket of a user between ASP.NET V1.0/V1.1 applications and ASP.NET V2.0 applications. Specifically, can you build a set of login/membership pages using ASP.NET V2.0 in a sub-application on a site (for example: www.mysite.com/login/), and then have the rest of the site (www.mysite.com, www.mysite.com/products, etc) which is still running on ASP.NET V1.1 pick up the logged in identify of the user when he or she browses those pages.
The good news is that you can. To enable the authentication identity to flow between the multiple applications (including different V1.1 and V2.0 ones), follow the below steps:
1) Make sure that you explicitly define the “validationKey” and “decryptionKey” attributes in the <machineKey /> section of your applications’ web.config files. By default, these are configured to AutoGenerate/IsolateApps – which will end up generating separate unique keys in each application (which means that the decryption algorithm will not be able to convert a forms-authentication ticket issued from one application in another). By having them all share the same key value, the applications and encrypt/decrypt/validate cookie values can be read by each other.
2) In your ASP.NET 2.0 application(s), you’ll also then need to add the new “decryption” attribute to the <machineKey /> element and set its value to be “3DES”. By default, ASP.NET V2.0 uses a new (stronger) encryption/decryption algorithm. Changing the value to be “3DES” will have it revert back to the older V1 behavior and allow the cookies to be shared.
Hope this helps,
Scott
P.S. Thanks and credit go to Stefan on my team for sending me the exact steps needed above.