How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

ASP.NET V1.0 introduced a powerful forms-authentication model that provides the infrastructure plumbing necessary to issue authentication tickets to incoming browsers as http cookies, and then automatically decrypt them on each request so that you can identify who the incoming browser user is.

ASP.NET V2.0 has made this much more powerful and easier by providing built-in support for storing, managing and verifying username/password credentials using the new Membership system (so that you no longer need to manually create and validate usernames/passwords in a database).  ASP.NET V2.0 also ships with a built-in role management system, as well as a suite of Login controls to enable you to declaratively authenticate and manage users on the system.  This blog post I did from a few months ago goes into more detail on how easy it is to use this.

One of the questions I've been asked a few times is whether it is possible to share the forms-authentication ticket of a user between ASP.NET V1.0/V1.1 applications and ASP.NET V2.0 applications.  Specifically, can you build a set of login/membership pages using ASP.NET V2.0 in a sub-application on a site (for example: www.mysite.com/login/), and then have the rest of the site (www.mysite.com, www.mysite.com/products, etc) which is still running on ASP.NET V1.1 pick up the logged in identify of the user when he or she browses those pages.

The good news is that you can.  To enable the authentication identity to flow between the multiple applications (including different V1.1 and V2.0 ones), follow the below steps:

1) Make sure that you explicitly define the “validationKey” and “decryptionKey” attributes in the <machineKey /> section of your applications’ web.config files.  By default, these are configured to AutoGenerate/IsolateApps – which will end up generating separate unique keys in each application (which means that the decryption algorithm will not be able to convert a forms-authentication ticket issued from one application in another).  By having them all share the same key value, the applications and encrypt/decrypt/validate cookie values can be read by each other.

2) In your ASP.NET 2.0 application(s), you’ll also then need to add the new “decryption” attribute to the <machineKey /> element and set its value to be “3DES”.  By default, ASP.NET V2.0 uses a new (stronger) encryption/decryption algorithm.  Changing the value to be “3DES” will have it revert back to the older V1 behavior and allow the cookies to be shared.

Hope this helps,

Scott

P.S. Thanks and credit go to Stefan on my team for sending me the exact steps needed above.

 

Published Saturday, December 10, 2005 7:36 PM by ScottGu

Comments

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, December 12, 2005 5:03 AM by rban
Your article is indeed very helpful.

Thank you.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, December 13, 2005 2:46 AM by thanks
yes,very helpful, I read your each of articles
but sometime I find some words very difficult.
my Englist not very good.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, December 22, 2005 1:54 PM by andrew
I kept getting the System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'. error when trying to share the forms authentication cookie from my ASP.Net 1.1 web app with the Reporting Services 2005 web service (in forms auth mode). The new decryption attribute in 2.0 was the key. Thanks so much for the info!

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Wednesday, July 26, 2006 4:07 PM by Mike
Nested 1.1 virtual applications do not recognize the new decrypt attribute in the parent 2.0 web.config. Can you configure 1.1 apps to ignore the parent 2.0 web.config?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, July 28, 2006 9:46 PM by ScottGu

Hi Mike,

Unfortunately you can't cause 1.1 apps to ignore attributes within parent web.config files.

What you could do, though, is add a location directive to the machine.config or root web.config for ASP.NET 2.0 to set this value at the app-level.  Since V1.1 uses a separate machine.config file it won't see this and as such won't have a problem.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, July 31, 2006 2:56 PM by Mike
Thanks. I updated the root 2.0 app with the following: The 1.1 sub-directory app now successfully ingnores the decrypt attribute, but unfortunately throws the following exception: System.Security.Cryptography.CryptographicException: Bad Data The key strings are identical in both web.configs. Anyone else seeing this problem?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, August 11, 2006 4:09 PM by 法兰式电容液位变送器
Nested 1.1 virtual applications do not recognize the new decrypt attribute in the parent 2.0 web.config. Can you configure 1.1 apps to ignore the parent 2.0 web.config?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, August 25, 2006 8:05 PM by ScottGu

Hi Stuart,

It will work with two subdomains.  For example:

www.domain.com

subdomain.domain.com

But I don't think you can get it to work across two different top-level domains without writing your own SSO (single sign-on) like solution.  The reason for this is because cookies are persisted per-domain by browsers.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, August 31, 2006 1:15 PM by Vikas
I am testing the sso scenario with form authentication for 1.1 & 2.0 apps. I amd using the same key and 3des algo between all these application. applications with 1.1 works but 2.0 application is not even able to see the cookie. I must be missing something. Any Idea?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, September 19, 2006 3:10 AM by FirozB
Hi Scott, Is it possible to share this authentication cookie with web services on another PC, for an Intranet application using forms authorisation? I originally thought that I would have to use some kind of token issuing mechanism, but after reading this, there may be no need to. What are your thoughts?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Wednesday, September 20, 2006 12:08 AM by ScottGu

Hi Firoz,

Unfortunately I don't think there is anyway to do what you are after with sharing the cookie.  A client application consuming the web-service could retrieve and then re-use the cookie to access another web-service on a different machine.  But I don't see a way to re-use the client cookie across two separate client machines.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, November 16, 2006 12:38 PM by Rahul

Hi Scott,

How to share cookies between Classical ASP, ASP 1.1 & ASP 2.0? I want to slowly migrate my application (developed in both classical ASP and ASP 1.1) to ASP.NET 2.0? Can you please help me?

Regards,

Rahul

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, November 17, 2006 10:47 AM by ScottGu

Hi Rahul,

You should be able to share cookies across ASP and ASP.NET sites just fine.  Just make sure that the path for the cookie is set to the "/" level to make sure it will be transferred by the browser to all pages under the site.

You can then use the Request.Cookies collection to read them.

Thanks,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, November 26, 2006 10:04 PM by Leo

Hi Scott,

How about using this technique while cookies are disabled?

Leo

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, November 27, 2006 5:21 PM by Steven

Scott,

I did this and it works great for integrating our 1.1 Authentication ticket to the 2.0 Web Application.  But the strange thing is when I set the decryption to "3DES", it breaks my Page.SetFocus() {Javascript error object not found} and client side Required Validators now posy back, and them display the error.  If I set the decryption to Auto, my client side scripts now work, but I can't Authenticate.  Any Ideas?

Thanks, Steven

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, December 24, 2006 11:23 AM by Markus

Scott,

works perfectly. Thanks a lot for your great blog.

Markus

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, January 14, 2007 5:01 PM by ScottGu

Hi Ameya,

You can use the Request.Cookies and Response.Cookies collections to read/write HTTP cookies from ASP.NET.  If you have an SAP application on the same domain as ASP.NET, then you can share cookies that way.

Hope this helps,

Scott

# How To Share Authentication Cookies across Classic ASP and ASP.NET V2.0 Applications

Thursday, February 1, 2007 4:47 PM by Robert

Is there a way to share Authentication Cookies across Classic ASP and ASP.NET 2.0 Applications?

We have a login interface build in Classic ASP and quite a few applications are using that interface. What is the best way to let my ASP.NET 2.0 app know that this user was authenticated by Classic ASP login interface? Thanks.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, February 1, 2007 7:14 PM by Geoff Van Brunt

Hi Scott,

I've been a reader of you blog for some time now, and it's by far the best resource on things asp.net on the net. Keep up the good work it's appreciated.

I've got a question that is related sharing cookies. In this case both apps are .net 2.0, but I want to share the login page as well as the cookies between them. In other words, I only want one app to have the login page. It saves copying the page from application to application every time it is modified. Is it even possible?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, February 4, 2007 6:17 PM by ScottGu

Hi Robert,

If you are using IIS6, then it is possible to share the ASP and ASP.NET authentication ticket - and have ASP.NET 2.0 perform login and authentication management for both sets of pages.

Stefan's ASP.NET security book has the best details on how to-do this: http://www.amazon.com/exec/obidos/ASIN/0764596985/ref=nosim/theplanningsh-20

That might be the easiest way to get up to speed on how to achieve it.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, February 4, 2007 6:35 PM by ScottGu

Hi Geoff,

You can share the authentication ticket just fine as long as both applications are under the same site name domain (that way the client will send the same cookie to both).

ASP.NET by default sets the path of the authetnication ticket to "/" - which means that by default it will work across both applications.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, February 12, 2007 6:32 PM by Ashish Gupta

Hi Scott,

We have classic asp app and .net app. User logs  into the application using asp application's login page and then sets some cookies and session transfer data in database to access .net application. The .net app also sets forms authetication cookie when accessed.

I wrote a code on classic asp side to delete all cookie on logoff.asp page. Its deleting all the cookies except formsauthetication cookie.

Is is not possible to delete forms authentication cookie from asp side?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, February 13, 2007 6:20 PM by Ashish Gupta

dont bother abt my last post regarding deleting forms authetication cookie. I figured it out.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, March 13, 2007 10:20 PM by Mike

I am writing two applications that together will be used on one site.  The first app is the back-end (CMS, administration, etc) that will make changes to the CMS database, etc.  The second app will be the front-end app, which will display the CMS data, etc.  I'd like to enable users of the admin site to be able log in and then return and browse the main site.  When they're logged in as "admins" and they browse the main web site, it should display various choices that normal anonymous browsers wouldn't see.  So assuming I setup both apps to use the same membership database and use the same applicationName this should be possible based on the role that the user is in, right?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, March 19, 2007 3:19 AM by ScottGu

Hi Mike,

Yes - you should be able to accomplish what you are after above as long as you use the sample membership database and applicationName.  If you want users to be able to log-into one application and then immediately navigate to another, you'll also want/need to make sure the authentication ticket is shared across both apps.

Thanks,

Scott