How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

ASP.NET V1.0 introduced a powerful forms-authentication model that provides the infrastructure plumbing necessary to issue authentication tickets to incoming browsers as http cookies, and then automatically decrypt them on each request so that you can identify who the incoming browser user is.

ASP.NET V2.0 has made this much more powerful and easier by providing built-in support for storing, managing and verifying username/password credentials using the new Membership system (so that you no longer need to manually create and validate usernames/passwords in a database).  ASP.NET V2.0 also ships with a built-in role management system, as well as a suite of Login controls to enable you to declaratively authenticate and manage users on the system.  This blog post I did from a few months ago goes into more detail on how easy it is to use this.

One of the questions I've been asked a few times is whether it is possible to share the forms-authentication ticket of a user between ASP.NET V1.0/V1.1 applications and ASP.NET V2.0 applications.  Specifically, can you build a set of login/membership pages using ASP.NET V2.0 in a sub-application on a site (for example: www.mysite.com/login/), and then have the rest of the site (www.mysite.com, www.mysite.com/products, etc) which is still running on ASP.NET V1.1 pick up the logged in identify of the user when he or she browses those pages.

The good news is that you can.  To enable the authentication identity to flow between the multiple applications (including different V1.1 and V2.0 ones), follow the below steps:

1) Make sure that you explicitly define the “validationKey” and “decryptionKey” attributes in the <machineKey /> section of your applications’ web.config files.  By default, these are configured to AutoGenerate/IsolateApps – which will end up generating separate unique keys in each application (which means that the decryption algorithm will not be able to convert a forms-authentication ticket issued from one application in another).  By having them all share the same key value, the applications and encrypt/decrypt/validate cookie values can be read by each other.

2) In your ASP.NET 2.0 application(s), you’ll also then need to add the new “decryption” attribute to the <machineKey /> element and set its value to be “3DES”.  By default, ASP.NET V2.0 uses a new (stronger) encryption/decryption algorithm.  Changing the value to be “3DES” will have it revert back to the older V1 behavior and allow the cookies to be shared.

Hope this helps,

Scott

P.S. Thanks and credit go to Stefan on my team for sending me the exact steps needed above.

 

Published Saturday, December 10, 2005 7:36 PM by ScottGu

Comments

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, December 12, 2005 5:03 AM by rban
Your article is indeed very helpful.

Thank you.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, December 13, 2005 2:46 AM by thanks
yes,very helpful, I read your each of articles
but sometime I find some words very difficult.
my Englist not very good.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, December 22, 2005 1:54 PM by andrew
I kept getting the System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'. error when trying to share the forms authentication cookie from my ASP.Net 1.1 web app with the Reporting Services 2005 web service (in forms auth mode). The new decryption attribute in 2.0 was the key. Thanks so much for the info!

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Wednesday, July 26, 2006 4:07 PM by Mike
Nested 1.1 virtual applications do not recognize the new decrypt attribute in the parent 2.0 web.config. Can you configure 1.1 apps to ignore the parent 2.0 web.config?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, July 28, 2006 9:46 PM by ScottGu

Hi Mike,

Unfortunately you can't cause 1.1 apps to ignore attributes within parent web.config files.

What you could do, though, is add a location directive to the machine.config or root web.config for ASP.NET 2.0 to set this value at the app-level.  Since V1.1 uses a separate machine.config file it won't see this and as such won't have a problem.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, July 31, 2006 2:56 PM by Mike
Thanks. I updated the root 2.0 app with the following: The 1.1 sub-directory app now successfully ingnores the decrypt attribute, but unfortunately throws the following exception: System.Security.Cryptography.CryptographicException: Bad Data The key strings are identical in both web.configs. Anyone else seeing this problem?

# ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas

Tuesday, August 01, 2006 11:55 AM by ScottGu's Blog

This page lists some of the more popular &amp;ldquo;ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas&amp;rdquo;

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, August 11, 2006 4:09 PM by 法兰式电容液位变送器
Nested 1.1 virtual applications do not recognize the new decrypt attribute in the parent 2.0 web.config. Can you configure 1.1 apps to ignore the parent 2.0 web.config?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, August 14, 2006 12:35 PM by ScottGu

You can't configure nested V1.1 apps to ignore parent V2.0 settings unfortunately.

Two ways to fix this:

1) Separate out the nested app to a sub-domain: http://apps.site.com/app1 instead of http://www.site.com/app1

2) Set the decrypt attribute within a <location> directive within your root web.config file instead of at the application level.  Since the root web.config files for V1.1 and V2.0 are separate, this will avoid a conflict.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, August 25, 2006 3:58 PM by stuart
does this work withtwo different domains on the same server or web farm? ie. www.domain1.com and www.domain2.com my Web configs have this in the v1.1. app (www.domain1.com) I have this // Set the forms authentication cookie FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, sUserName,DateTime.Now, DateTime.Now.AddMinutes(60), true, string.Empty); string encTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket); Context.Response.Cookies.Add(faCookie); in the v2.0 app (www.domain2.com) I have this // Extract the forms authentication cookie HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName]; FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); I was thinking that if users logged into www.domain1.com and are athenticated the cookie would get encrypted and written, if they then try to go to www.domain2.com, that app should be able to read the cookie and let them straight in. I saw some examples of adding a domain name to the authentication cookie before writting that, if I add the 'domain1.com' domain I can see the cookie when I do a trace from the 1st app, but not when I use the second app. if I add the 'domain2.com' domain I can't see the cookie when I do a trace from the 1st app, and also can't see it when I use the second app. any thoughts about this?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, August 25, 2006 8:05 PM by ScottGu

Hi Stuart,

It will work with two subdomains.  For example:

www.domain.com

subdomain.domain.com

But I don't think you can get it to work across two different top-level domains without writing your own SSO (single sign-on) like solution.  The reason for this is because cookies are persisted per-domain by browsers.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, August 31, 2006 1:15 PM by Vikas
I am testing the sso scenario with form authentication for 1.1 & 2.0 apps. I amd using the same key and 3des algo between all these application. applications with 1.1 works but 2.0 application is not even able to see the cookie. I must be missing something. Any Idea?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, September 19, 2006 3:10 AM by FirozB
Hi Scott, Is it possible to share this authentication cookie with web services on another PC, for an Intranet application using forms authorisation? I originally thought that I would have to use some kind of token issuing mechanism, but after reading this, there may be no need to. What are your thoughts?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Wednesday, September 20, 2006 12:08 AM by ScottGu

Hi Firoz,

Unfortunately I don't think there is anyway to do what you are after with sharing the cookie.  A client application consuming the web-service could retrieve and then re-use the cookie to access another web-service on a different machine.  But I don't see a way to re-use the client cookie across two separate client machines.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, November 16, 2006 12:38 PM by Rahul

Hi Scott,

How to share cookies between Classical ASP, ASP 1.1 & ASP 2.0? I want to slowly migrate my application (developed in both classical ASP and ASP 1.1) to ASP.NET 2.0? Can you please help me?

Regards,

Rahul

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, November 17, 2006 10:47 AM by ScottGu

Hi Rahul,

You should be able to share cookies across ASP and ASP.NET sites just fine.  Just make sure that the path for the cookie is set to the "/" level to make sure it will be transferred by the browser to all pages under the site.

You can then use the Request.Cookies collection to read them.

Thanks,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, November 26, 2006 10:04 PM by Leo

Hi Scott,

How about using this technique while cookies are disabled?

Leo

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, November 27, 2006 5:21 PM by Steven

Scott,

I did this and it works great for integrating our 1.1 Authentication ticket to the 2.0 Web Application.  But the strange thing is when I set the decryption to "3DES", it breaks my Page.SetFocus() {Javascript error object not found} and client side Required Validators now posy back, and them display the error.  If I set the decryption to Auto, my client side scripts now work, but I can't Authenticate.  Any Ideas?

Thanks, Steven

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, November 27, 2006 6:26 PM by Steven

Forget that last crazy post about the MachineKey causing the client side javascript to not work. I honestly tried that 3-4 times and it was consistently failing and working, but now I can’t replicate the failure.  Sorry for the trouble.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, December 24, 2006 11:23 AM by Markus

Scott,

works perfectly. Thanks a lot for your great blog.

Markus

# Share Authentication Between ASP.NET 1.1 and ASP.NET 2.0 &raquo; Advanced .NET Debugging

Friday, January 12, 2007 3:37 AM by Share Authentication Between ASP.NET 1.1 and ASP.NET 2.0 » Advanced .NET Debugging

PingBack from http://dotnetdebug.net/2005/12/11/share-authentication-between-aspnet-11-and-aspnet-20/

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, January 12, 2007 10:31 AM by ameya

Well ur article is fantastic it gr8 to see how the cookies can be shared across two different version of asp.net application.

But i hav a task in which I want to read the cookies from SAP application and use it in the asp.net 2.0 web application. I dont know about SAP how the cookies are saved r they encrypted or not ....but i just want to ask u that is it possible to read the cookies in SAP and use it in my web site. which runs on asp.net 2.0.

Any ideas are appreciated.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, January 14, 2007 5:01 PM by ScottGu

Hi Ameya,

You can use the Request.Cookies and Response.Cookies collections to read/write HTTP cookies from ASP.NET.  If you have an SAP application on the same domain as ASP.NET, then you can share cookies that way.

Hope this helps,

Scott

# How To Share Authentication Cookies across Classic ASP and ASP.NET V2.0 Applications

Thursday, February 01, 2007 4:47 PM by Robert

Is there a way to share Authentication Cookies across Classic ASP and ASP.NET 2.0 Applications?

We have a login interface build in Classic ASP and quite a few applications are using that interface. What is the best way to let my ASP.NET 2.0 app know that this user was authenticated by Classic ASP login interface? Thanks.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Thursday, February 01, 2007 7:14 PM by Geoff Van Brunt

Hi Scott,

I've been a reader of you blog for some time now, and it's by far the best resource on things asp.net on the net. Keep up the good work it's appreciated.

I've got a question that is related sharing cookies. In this case both apps are .net 2.0, but I want to share the login page as well as the cookies between them. In other words, I only want one app to have the login page. It saves copying the page from application to application every time it is modified. Is it even possible?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, February 04, 2007 6:17 PM by ScottGu

Hi Robert,

If you are using IIS6, then it is possible to share the ASP and ASP.NET authentication ticket - and have ASP.NET 2.0 perform login and authentication management for both sets of pages.

Stefan's ASP.NET security book has the best details on how to-do this: http://www.amazon.com/exec/obidos/ASIN/0764596985/ref=nosim/theplanningsh-20

That might be the easiest way to get up to speed on how to achieve it.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, February 04, 2007 6:35 PM by ScottGu

Hi Geoff,

You can share the authentication ticket just fine as long as both applications are under the same site name domain (that way the client will send the same cookie to both).

ASP.NET by default sets the path of the authetnication ticket to "/" - which means that by default it will work across both applications.

Hope this helps,

Scott

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, February 12, 2007 6:32 PM by Ashish Gupta

Hi Scott,

We have classic asp app and .net app. User logs  into the application using asp application's login page and then sets some cookies and session transfer data in database to access .net application. The .net app also sets forms authetication cookie when accessed.

I wrote a code on classic asp side to delete all cookie on logoff.asp page. Its deleting all the cookies except formsauthetication cookie.

Is is not possible to delete forms authentication cookie from asp side?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, February 13, 2007 6:20 PM by Ashish Gupta

dont bother abt my last post regarding deleting forms authetication cookie. I figured it out.

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Friday, March 09, 2007 8:31 AM by Sam Stange

Works like a charm. I did get caught on one issue though... My network admins set my 1.1 built site as a 2.0 site in IIS. I added the decryption "3DES" element, and it works now.

My only other comment is for anyone trying to make a SSO site with Forms Authentication, you need to be comfortable with the way cookies work. My .lmi.org can't read a cookie from .google.com, however, if I'm authenticating from one .lmi.org site to another .lmi.org site, then i'm ok. Since the Forms Authentication model is a Cookies based security scheme, this is a very important concept!

Also, I found this site useful for creating a random 3DES key: http://aspnetresources.com/tools/keycreator.aspx

For those of you that are craving an example (2.0 site to 1.1 site), here's my forms element in my web.config on my 2.0 portal entry site:

<authentication mode="Forms">

     <forms name="Portal"

            domain=".lmi.org"

            timeout="30"

            cookieless="UseCookies"

            loginUrl="~/login.aspx"

            defaultUrl="~/login.aspx"

            path="/"/>

</authentication>

<machineKey validationKey="90CBB9B2FAD04C6F869A58D6A42AED0D13F3440227CD725F6008BC4835B7C0BFBEFFAE214DC81DAE3CD7E395A70B0D6C492EFB8C8BE69F9E86D006D2320FE524"

decryptionKey="69A5A438452FCB3C031FEA245DEF770191A16609E9E4A62F" validation="SHA1" decryption="3DES" />

Here's my 1.1 site settings:

<authentication mode="Forms">

     <forms name="Portal"

            domain=".lmi.org"

            timeout="30"

            cookieless="UseCookies"

            loginUrl="http://entweb.lmi.org/infrastructureportal/login.aspx"

            path="/"/>

   </authentication>

     <authorization>

       <deny users="?"/>

<allow users="*"/>

     </authorization>

<machineKey validationKey="90CBB9B2FAD04C6F869A58D6A42AED0D13F3440227CD725F6008BC4835B7C0BFBEFFAE214DC81DAE3CD7E395A70B0D6C492EFB8C8BE69F9E86D006D2320FE524"

decryptionKey="69A5A438452FCB3C031FEA245DEF770191A16609E9E4A62F" decryption="3DES" />

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Tuesday, March 13, 2007 10:20 PM by Mike

I am writing two applications that together will be used on one site.  The first app is the back-end (CMS, administration, etc) that will make changes to the CMS database, etc.  The second app will be the front-end app, which will display the CMS data, etc.  I'd like to enable users of the admin site to be able log in and then return and browse the main site.  When they're logged in as "admins" and they browse the main web site, it should display various choices that normal anonymous browsers wouldn't see.  So assuming I setup both apps to use the same membership database and use the same applicationName this should be possible based on the role that the user is in, right?

# re: How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Monday, March 19, 2007 3:19 AM by ScottGu

Hi Mike,

Yes - you should be able to accomplish what you are after above as long as you use the sample membership database and applicationName.  If you want users to be able to log-into one application and then immediately navigate to another, you'll also want/need to make sure the authentication ticket is shared across both apps.

Thanks,

Scott

# How to share authentication context between a SharePoint Site and ASP.NET 2.0 application

Saturday, September 15, 2007 2:39 AM by Haaron Gonzalez

When we have extranet scenarios when people need to have access not only to SharePoint site but also