By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,340 Members | 1,363 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,340 IT Pros & Developers. It's quick & easy.

Forms authentication across multiple applications and framework versions

P: n/a
JC
I have several applications that use forms authentication and they are
currently setup to use a single login page. Everything works fine under v1.0
of the framework and everything works fine if I have all applications
running under v1.1.

However, I need the login page and a few apps to be running under using v1.0
with other applications running under v1.1. Now my authentication cookie is
no longer being accepted anywhere other than by the v1.0 applications. The
path, name, and protection attributes for <forms> are identical in all
application. I've tried using an explicit <machinekey> and removing the
"isolateapps" attribute in the v1.1 machine.configs. Am I missing anything
else? I just consently get redirected back to the login page. Any help
would be appreciated thanks.

Here is what my web.config looks like in all applications.
<authentication mode="Forms">
<forms loginUrl="/Login/login.aspx"
name="appname"
protection="All"
path="/">
</forms>
</authentication>

I've tried using both:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"
validation="SHA1"/>

and explicitly defining the key in all apps.

<machineKey
validationKey='470D7418106FE78774FB509A10A94BB9839 567B38C0A91CBFE0241C3647F0
1E8B12FBA2EC0AB5C0B947260D12AD85B34085C91659A5802A F006D027B1F0A117D'
decryptionKey='3A6FF62768FAEA2213FB64703827ED533B6 CAB6AED3A1550'
validation='SHA1'/>
Nov 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
psb
I have experienced same thing... I believe it is a security hole in 1.0 that
microsoft closed. we do almost the same thing you are talking about. my
co-worker and i debugged for days until he said, I did install this new
application... well, the new application installed .netF1.1 and when we
uninstalled it he was working again. I have yet to upgrade all of our apps
to 1.1 until I figure out a solution. I swear I read it somewhere either on
msdn or gotdotnet.com about this security tightening in forms authentication
between projects/virtual directories... -p

"JC" <ch*****@hotmail.com> wrote in message
news:OF******************@tk2msftngp13.phx.gbl...
I have several applications that use forms authentication and they are
currently setup to use a single login page. Everything works fine under v1.0 of the framework and everything works fine if I have all applications
running under v1.1.

However, I need the login page and a few apps to be running under using v1.0 with other applications running under v1.1. Now my authentication cookie is no longer being accepted anywhere other than by the v1.0 applications. The
path, name, and protection attributes for <forms> are identical in all
application. I've tried using an explicit <machinekey> and removing the
"isolateapps" attribute in the v1.1 machine.configs. Am I missing anything
else? I just consently get redirected back to the login page. Any help
would be appreciated thanks.

Here is what my web.config looks like in all applications.
<authentication mode="Forms">
<forms loginUrl="/Login/login.aspx"
name="appname"
protection="All"
path="/">
</forms>
</authentication>

I've tried using both:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"
validation="SHA1"/>

and explicitly defining the key in all apps.

<machineKey
validationKey='470D7418106FE78774FB509A10A94BB9839 567B38C0A91CBFE0241C3647F0 1E8B12FBA2EC0AB5C0B947260D12AD85B34085C91659A5802A F006D027B1F0A117D'
decryptionKey='3A6FF62768FAEA2213FB64703827ED533B6 CAB6AED3A1550'
validation='SHA1'/>

Nov 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.