Republished With Permission - Original
Article
ASP.NET V1.0 introduced a powerful forms-authentication
model that provides the infrastructure plumbing necessary to issue
authentication tickets to incoming browsers as http cookies, and then
automatically decrypt them on each request so that you can identify who the
incoming browser user is.
ASP.NET V2.0 has made this much more powerful and easier by
providing built-in support for storing, managing and verifying
username/password credentials using the new Membership system (so that you no
longer need to manually create and validate usernames/passwords in a
database). ASP.NET V2.0 also ships with a built-in role management system, as
well as a suite of Login controls to enable you to declaratively authenticate
and manage users on the system. This blog
post I did from a few months ago goes into more detail on how easy it is to
use this.
One of the questions I've been asked a few times is whether
it is possible to share the forms-authentication ticket of a user between
ASP.NET V1.0/V1.1 applications and ASP.NET V2.0 applications. Specifically,
can you build a set of login/membership pages using ASP.NET V2.0 in a
sub-application on a site (for example: www.mysite.com/login/),
and then have the rest of the site (www.mysite.com,
www.mysite.com/products, etc)
which is still running on ASP.NET V1.1 pick up the logged in identify of the user
when he or she browses those pages.
The good news is that you can. To enable the authentication
identity to flow between the multiple applications (including different V1.1
and V2.0 ones), follow the below steps:
1) Make sure that you explicitly define the “validationKey”
and “decryptionKey” attributes in the <machineKey /> section of your
applications’ web.config files. By default, these are configured to
AutoGenerate/IsolateApps – which will end up generating separate unique keys in
each application (which means that the decryption algorithm will not be able to
convert a forms-authentication ticket issued from one application in another).
By having them all share the same key value, the applications and
encrypt/decrypt/validate cookie values can be read by each other.
2) In your ASP.NET 2.0 application(s), you’ll also then need
to add the new “decryption” attribute to the <machineKey /> element and
set its value to be “3DES”. By default, ASP.NET V2.0 uses a new (stronger)
encryption/decryption algorithm. Changing the value to be “3DES” will have it
revert back to the older V1 behavior and allow the cookies to be shared.
Hope this helps,
Scott
P.S. Thanks and credit go to Stefan on my team for sending
me the exact steps needed above.