Tuesday, February 3, 2009

Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications



This blog post summarizes – Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications.



Forms-authentication model has a powerful security structure - That provides the infrastructure plumbing necessary to issue Authentication Tickets to incoming browsers as Http Cookies, and then automatically decrypt them on each request so that you can identify who the incoming browser user is.


Problem –


Looking at the above approach – There is always a problem while Sharing The Forms-Authentication Ticket when the pages are accessed across multiple applications.



How to Fix This –


Fixing this is pretty easy. Access the link



One more Problem –


The above fix will not work, if the applications are developed using ASP.NET V1.1 and ASP.NET V2.0 seperately.


e.g - Build a set of login/membership pages using ASP.NET V2.0 in an application and then have the rest of the sub site which is still running on ASP.NET V1.1



How to Fix This –


Fixing this require one more step.


·          Same as above. Access the link

·          In your ASP.NET 2.0 application(s), you’ll also then need to add the new “decryption” attribute to the <machineKey /> element and set its value to be “3DES”.  By default, ASP.NET V2.0 uses a new (stronger) encryption/decryption algorithm.  Changing the value to be “3DES” will have it revert back to the older V1 behavior and allow the cookies to be shared.



Hope this helps.


Arun Manglick


No comments:

Post a Comment