How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0 Applications

Sunday, December 11, 2005

ASP.NET V1.0 introduced a powerful forms-authentication model that provides the infrastructure plumbing necessary to issue authentication tickets to incoming browsers as http cookies, and then automatically decrypt them on each request so that you can identify who the incoming browser user is.

ASP.NET V2.0 has made this much more powerful and easier by providing built-in support for storing, managing and verifying username/password credentials using the new Membership system (so that you no longer need to manually create and validate usernames/passwords in a database). ASP.NET V2.0 also ships with a built-in role management system, as well as a suite of Login controls to enable you to declaratively authenticate and manage users on the system. This blog post I did from a few months ago goes into more detail on how easy it is to use this.

One of the questions I've been asked a few times is whether it is possible to share the forms-authentication ticket of a user between ASP.NET V1.0/V1.1 applications and ASP.NET V2.0 applications. Specifically, can you build a set of login/membership pages using ASP.NET V2.0 in a sub-application on a site (for example: www.mysite.com/login/), and then have the rest of the site (www.mysite.com, www.mysite.com/products, etc) which is still running on ASP.NET V1.1 pick up the logged in identify of the user when he or she browses those pages.

The good news is that you can. To enable the authentication identity to flow between the multiple applications (including different V1.1 and V2.0 ones), follow the below steps:

1) Make sure that you explicitly define the “validationKey” and “decryptionKey” attributes in the <machineKey /> section of your applications’ web.config files. By default, these are configured to AutoGenerate/IsolateApps – which will end up generating separate unique keys in each application (which means that the decryption algorithm will not be able to convert a forms-authentication ticket issued from one application in another). By having them all share the same key value, the applications and encrypt/decrypt/validate cookie values can be read by each other.

2) In your ASP.NET 2.0 application(s), you’ll also then need to add the new “decryption” attribute to the <machineKey /> element and set its value to be “3DES”. By default, ASP.NET V2.0 uses a new (stronger) encryption/decryption algorithm. Changing the value to be “3DES” will have it revert back to the older V1 behavior and allow the cookies to be shared.

Hope this helps,

Scott

P.S. Thanks and credit go to Stefan on my team for sending me the exact steps needed above.

25 Comments

Your article is indeed very helpful.

Thank you.

rban - Monday, December 12, 2005 10:03:00 AM

yes,very helpful, I read your each of articles

but sometime I find some words very difficult.

my Englist not very good.

thanks - Tuesday, December 13, 2005 7:46:00 AM

I kept getting the System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'. error when trying to share the forms authentication cookie from my ASP.Net 1.1 web app with the Reporting Services 2005 web service (in forms auth mode). The new decryption attribute in 2.0 was the key. Thanks so much for the info!

andrew - Thursday, December 22, 2005 6:54:00 PM

Nested 1.1 virtual applications do not recognize the new decrypt attribute in the parent 2.0 web.config.

Can you configure 1.1 apps to ignore the parent 2.0 web.config?

Mike - Wednesday, July 26, 2006 8:07:06 PM

Hi Mike,

Unfortunately you can't cause 1.1 apps to ignore attributes within parent web.config files.

What you could do, though, is add a location directive to the machine.config or root web.config for ASP.NET 2.0 to set this value at the app-level. Since V1.1 uses a separate machine.config file it won't see this and as such won't have a problem.

Hope this helps,

Scott

ScottGu - Saturday, July 29, 2006 1:46:21 AM

Thanks. I updated the root 2.0 app with the following:

The 1.1 sub-directory app now successfully ingnores the decrypt attribute, but unfortunately throws the following exception:

System.Security.Cryptography.CryptographicException: Bad Data

The key strings are identical in both web.configs.

Anyone else seeing this problem?

Mike - Monday, July 31, 2006 6:56:50 PM

Nested 1.1 virtual applications do not recognize the new decrypt attribute in the parent 2.0 web.config. Can you configure 1.1 apps to ignore the parent 2.0 web.config?

法兰式电容液位变送器 - Friday, August 11, 2006 8:09:46 PM

Hi Stuart,

It will work with two subdomains. For example:

www.domain.com
subdomain.domain.com

But I don't think you can get it to work across two different top-level domains without writing your own SSO (single sign-on) like solution. The reason for this is because cookies are persisted per-domain by browsers.

Hope this helps,

Scott

ScottGu - Saturday, August 26, 2006 12:05:38 AM

I am testing the sso scenario with form authentication for 1.1 & 2.0 apps. I amd using the same key and 3des algo between all these application. applications with 1.1 works but 2.0 application is not even able to see the cookie. I must be missing something.

Any Idea?

Vikas - Thursday, August 31, 2006 5:15:59 PM

Hi Scott,

Is it possible to share this authentication cookie with web services on another PC, for an Intranet application using forms authorisation? I originally thought that I would have to use some kind of token issuing mechanism, but after reading this, there may be no need to. What are your thoughts?

FirozB - Tuesday, September 19, 2006 7:10:52 AM

Hi Firoz,

Unfortunately I don't think there is anyway to do what you are after with sharing the cookie. A client application consuming the web-service could retrieve and then re-use the cookie to access another web-service on a different machine. But I don't see a way to re-use the client cookie across two separate client machines.

Hope this helps,

Scott

ScottGu - Wednesday, September 20, 2006 4:08:46 AM

Hi Scott,

How to share cookies between Classical ASP, ASP 1.1 & ASP 2.0? I want to slowly migrate my application (developed in both classical ASP and ASP 1.1) to ASP.NET 2.0? Can you please help me?

Regards,
Rahul

Rahul - Thursday, November 16, 2006 5:38:08 PM

Hi Rahul,

You should be able to share cookies across ASP and ASP.NET sites just fine. Just make sure that the path for the cookie is set to the "/" level to make sure it will be transferred by the browser to all pages under the site.

You can then use the Request.Cookies collection to read them.

Thanks,

Scott

ScottGu - Friday, November 17, 2006 3:47:52 PM

Hi Scott,

How about using this technique while cookies are disabled?

Leo

Leo - Monday, November 27, 2006 3:04:36 AM

Scott,
I did this and it works great for integrating our 1.1 Authentication ticket to the 2.0 Web Application. But the strange thing is when I set the decryption to "3DES", it breaks my Page.SetFocus() {Javascript error object not found} and client side Required Validators now posy back, and them display the error. If I set the decryption to Auto, my client side scripts now work, but I can't Authenticate. Any Ideas?

Thanks, Steven

Steven - Monday, November 27, 2006 10:21:51 PM

Scott,

works perfectly. Thanks a lot for your great blog.

Markus

Markus - Sunday, December 24, 2006 4:23:26 PM

Hi Ameya,

You can use the Request.Cookies and Response.Cookies collections to read/write HTTP cookies from ASP.NET. If you have an SAP application on the same domain as ASP.NET, then you can share cookies that way.

Hope this helps,

Scott

ScottGu - Sunday, January 14, 2007 10:01:45 PM

Is there a way to share Authentication Cookies across Classic ASP and ASP.NET 2.0 Applications?

We have a login interface build in Classic ASP and quite a few applications are using that interface. What is the best way to let my ASP.NET 2.0 app know that this user was authenticated by Classic ASP login interface? Thanks.

Robert - Thursday, February 1, 2007 9:47:19 PM

Hi Scott,

I've been a reader of you blog for some time now, and it's by far the best resource on things asp.net on the net. Keep up the good work it's appreciated.

I've got a question that is related sharing cookies. In this case both apps are .net 2.0, but I want to share the login page as well as the cookies between them. In other words, I only want one app to have the login page. It saves copying the page from application to application every time it is modified. Is it even possible?

Geoff Van Brunt - Friday, February 2, 2007 12:14:54 AM

Hi Robert,

If you are using IIS6, then it is possible to share the ASP and ASP.NET authentication ticket - and have ASP.NET 2.0 perform login and authentication management for both sets of pages.

Stefan's ASP.NET security book has the best details on how to-do this: http://www.amazon.com/exec/obidos/ASIN/0764596985/ref=nosim/theplanningsh-20

That might be the easiest way to get up to speed on how to achieve it.

Hope this helps,

Scott

ScottGu - Sunday, February 4, 2007 11:17:14 PM

Hi Geoff,

You can share the authentication ticket just fine as long as both applications are under the same site name domain (that way the client will send the same cookie to both).

ASP.NET by default sets the path of the authetnication ticket to "/" - which means that by default it will work across both applications.

Hope this helps,

Scott

ScottGu - Sunday, February 4, 2007 11:35:38 PM

Hi Scott,
We have classic asp app and .net app. User logs into the application using asp application's login page and then sets some cookies and session transfer data in database to access .net application. The .net app also sets forms authetication cookie when accessed.
I wrote a code on classic asp side to delete all cookie on logoff.asp page. Its deleting all the cookies except formsauthetication cookie.

Is is not possible to delete forms authentication cookie from asp side?

Ashish Gupta - Monday, February 12, 2007 11:32:14 PM

dont bother abt my last post regarding deleting forms authetication cookie. I figured it out.

Ashish Gupta - Tuesday, February 13, 2007 11:20:08 PM

I am writing two applications that together will be used on one site. The first app is the back-end (CMS, administration, etc) that will make changes to the CMS database, etc. The second app will be the front-end app, which will display the CMS data, etc. I'd like to enable users of the admin site to be able log in and then return and browse the main site. When they're logged in as "admins" and they browse the main web site, it should display various choices that normal anonymous browsers wouldn't see. So assuming I setup both apps to use the same membership database and use the same applicationName this should be possible based on the role that the user is in, right?

Mike - Wednesday, March 14, 2007 2:20:26 AM

Hi Mike,

Yes - you should be able to accomplish what you are after above as long as you use the sample membership database and applicationName. If you want users to be able to log-into one application and then immediately navigate to another, you'll also want/need to make sure the authentication ticket is shared across both apps.

Thanks,

Scott

ScottGu - Monday, March 19, 2007 7:19:18 AM

Comments have been disabled for this content.