Sharing Authentication cookies between 1.0 and 1.1

[Mike LeBlanc]

Hello all,

I am having a problem getting two IIS applications to
share a single authentication cookie. One app uses the
1.0 Framework and other uses the 1.1 version. (This is on
Windows 2000 Advanced Server)

I already removed the "isolateapps" option from my 1.1
machine.config and made sure 1.0 and 1.1 are using the
same explicit <machinekey> (not AutoGenerate). I also
tried putting an identical <machinekey> in both web.config
files to no avail.

The login screen is in the 1.1 app and works fine as long
as I stay within that app. Whenever I try to move to the
1.0 application (within a nested virtual directory) the
authentication fails and I get redirected back to the
login screen endlessly.

Anyone know what I might be missing? I tried moving the
1.0 app to 1.1 but then I get the javascript error
mentioned in [url]http://support.microsoft.com/default.aspx?[/url]
id=818803 (I installed to hotfix but it didn't fix it for
me)

Thanks for you help!
Mike

[Tian Min Huang]

Hi Mike,

In order to share the authentication cookie across your applications the
cookie path should be "/" (this is the default value if you don/t specify
it in the web.config files). The cookie name should also be the same in all
the applications. For instance, in the following example, I have 2
applications configured for Forms Authentication. Each of them has a
web.config file pointing to the "/LoginApp" application, where the user
will log in.

-LoginApp
-app1
-app2

The "/LoginApp" application contains the login.aspx page (see attached)
and the following web.config:
<< File: login.aspx >>
<configuration><system.web>
<authentication mode="Forms" >
<forms name="MyAuthCookie" >
<credentials passwordFormat = "Clear">
<user name="foo" password="bar" />
</credentials>
</forms>
</authentication>
</system.web></configuration>

Each of the applications "/app1" and "/app2" contains the following
web.config:

<configuration><system.web>
<authentication mode="Forms" >
<forms name="MyAuthCookie" loginUrl = "/LoginApp/login.aspx" >
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web></configuration>

If the user is authenticated after requesting the page
[url]http://server/app1/t.aspx[/url] then he can access the second application
([url]http://server/app2/t.aspx[/url]) without having to authenticate himself again.

Hope this helps.

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided ¡°as is¡± with no warranties and confers no rights.

[Mike LeBlanc]

Thanks for the reply but I already did that.

Both applications have their path set to "/" explicitly
and have the exact same cookie name. If I set both
applications to use 1.1 or 1.0 it works beautifully but if
one is 1.1 and the other is 1.0 it quits working.

The issue is actually resolved for me because I was able
to get the javascript bug Hotfix working finally.
(However it did introduce a new bug with Validator
controls that Microsoft is currently working on).

It's now a matter of curiosity...

Thanks,
Mike

>-----Original Message-----
>Hi Mike,
>
>In order to share the authentication cookie across your

applications the

>cookie path should be "/" (this is the default value if

you don/t specify

>it in the web.config files). The cookie name should also

be the same in all

>the applications. For instance, in the following example,

I have 2

>applications configured for Forms Authentication. Each of

them has a

>web.config file pointing to the "/LoginApp" application,

where the user

>will log in.
>
> -LoginApp
> -app1
> -app2
>
> The "/LoginApp" application contains the

login.aspx page (see attached)

>and the following web.config:
> << File: login.aspx >>
> <configuration><system.web>
> <authentication mode="Forms"
>
> <forms

name="MyAuthCookie" >

> <credentials

passwordFormat = "Clear">

> <user name="foo"

password="bar" />

> </credentials>
> </forms>
> </authentication>
> </system.web></configuration>
>
> Each of the applications "/app1" and "/app2"

contains the following

>web.config:
>
> <configuration><system.web>
> <authentication mode="Forms"
>
> <forms

name="MyAuthCookie" loginUrl = "/LoginApp/login.aspx" >

> </forms>
> </authentication>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web></configuration>
>
>If the user is authenticated after requesting the page
>[url]http://server/app1/t.aspx[/url] then he can access the second

application

>([url]http://server/app2/t.aspx[/url]) without having to

authenticate himself again.

>
>Hope this helps.
>
>Regards,
>
>HuangTM
>Microsoft Online Partner Support
>MCSE/MCSD
>
>Get Secure! ¨C [url]www.microsoft.com/security[/url]
>This posting is provided ¡°as is¡± with no warranties and

confers no rights.

>
>
>.
>