Sharing Authentication Across Applications

Recently, I wanted to share forms authentication cookies between a couple different ASP.NET applications for the Honors Program.  It is pretty easy to do, except that the setup is different than most examples found on the web.  We have our website which uses MojoPortal on wsnet and we have a virtual directory set up which points honors.colostate.edu to wsnet.colostate.edu/cwis49/.  We also have some web forms in a subfolder (but not separate application) that require ssl.  This forces us to switch over from http://honors.colostate.edu to https://wsnet.colostate.edu/cwis49/ when accessing these pages since the ssl certificate is for wsnet not our virtual directory.  The master page for those pages forces the https and hostname switch.  The 2 applications have the same webroot folder and use the same configuration file so sharing authentication should just work, but it doesn’t.

Here is an article that details forms authentication: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=vs.100).aspx.  I found that adding the domain attribute was the trick; it must contain the common or root domain that the applications share.  As the article above says, the domain attribute is required when there are multiple sites on the server.  Just to be safe, I added the requireSSL=”false” attribute as well though it seemed to work without it.  Below you can  see the forms element in our Web.config file.

<forms name=".AUTHCOOKIENAME" protection="All" timeout="20160" path="/" domain="colostate.edu" cookieless="UseCookies" loginUrl="~/Secure/Login.aspx" requireSSL="false" />

If you have two separate Web.config files, you also need to make sure your machine key elements match.