Forms authentication across multiple applications and framework versions



I have several applications that use forms authentication and they are
currently setup to use a single login page. Everything works fine under v1.0
of the framework and everything works fine if I have all applications
running under v1.1.

However, I need the login page and a few apps to be running under using v1.0
with other applications running under v1.1. Now my authentication cookie is
no longer being accepted anywhere other than by the v1.0 applications. The
path, name, and protection attributes for <forms> are identical in all
application. I've tried using an explicit <machinekey> and removing the
"isolateapps" attribute in the v1.1 machine.configs. Am I missing anything
else? I just consently get redirected back to the login page. Any help
would be appreciated thanks.

Here is what my web.config looks like in all applications.
<authentication mode="Forms">
<forms loginUrl="/Login/login.aspx"

I've tried using both:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"

and explicitly defining the key in all apps.





I have experienced same thing... I believe it is a security hole in 1.0 that
microsoft closed. we do almost the same thing you are talking about. my
co-worker and i debugged for days until he said, I did install this new
application... well, the new application installed .netF1.1 and when we
uninstalled it he was working again. I have yet to upgrade all of our apps
to 1.1 until I figure out a solution. I swear I read it somewhere either on
msdn or about this security tightening in forms authentication
between projects/virtual directories... -p

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question