Applications sharing Forms Authentication

[Sebastian]

Hello,
I am attempting to share forms authentication between two applications
but running into problems. The documentation I've been able to dig up
says (to summarize) if the the Web.Config settings are the same between
the apps they should work happily together. The only difference I have
between the apps Web.Config settings is their <forms> loginUrl, which
isn't supposed to make a difference.

App1 Web.Config:
<authentication mode="Forms">
<forms name="AuthenticationCookie"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>

App2 Web.Config:
<authentication mode="Forms">
<forms name="AuthenticationCookie"
loginUrl="/App1/login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>

You'll note that the the only change is loginUrl for App2 is updated to
point to the login form of App1.

Both apps have the same <authorization> tag:
<authorization>
<deny users="?" /> <!-- Deny all users -->
</authorization>

Neither app is set to encrypt the cookie data.

The problem is that I never get sent back to the calling page in App2.
The return url is correct (as seen in the address bar of the browser
after being redirected to the login page). But after being
authenticated, I just get redirected to the login page again. Login
failures are being handled correctly, so I know I'm typing the
username/password correctly.

Any thoughts?

 

[OHM \( One Handed Man \)]

This is because you being authenticated in App1 not App2. AFAIK, you cant
run two sessions in the same browser window. If you used Windows Integrated
security, you could negate this issue altogether, but that of course depends
on your configuration IE are these people all on a local nt network ?

 

[Sebastian]

They aren't on all on a local NT network, but forms authentication is
supposed to work across applications; see:
<http://msdn2.microsoft.com/en-US/library/eb0zx8fc(VS.80).aspx>

I don't see any reason to doubt this possibility either...both apps are
running on the same server and giving the cookie the same name. Can
anyone clarify what I'm missing here?

Sebastian

 

[Sebastian]

Perhaps since I'm not defining a <machineKey> the validationKey is being
set to "autogenerate" making the second app unable to decrypt the cookie
data the first app is creating.

-Seb.

 

[Sebastian]

That does look to be the issue. When I explicitly set the machineKey to
the same values in both Web.Config files, everything works fine. Does
anyone know if there is a way to auto-generate keys so the two apps can
share Forms Authentication w/o having to set the machineKey explicitly?

 

[OHM \( One Handed Man \)]

Fair point, I know I have tried this in the past and didnt think this was
possible, so you have taught me somthing.