To configure forms authentication across applications, you set several attributes in the forms and machineKey configuration sections so that the values are the same for all applications participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, and decryptionKey attributes must be identical across all applications. Similarly, the encryption and validation keys and the encryption scheme used for cookie data must be exactly the same. If the settings do not match, cookies cannot be shared.

В

Copy Code

<configuration> <system.web> <authentication mode="Forms" > <!-- The name, protection, and path attributes must match exactly in each Web.config file. --> <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" protection="All" path="/" timeout="30" /> </authentication> <!-- Validation and decryption keys must exactly match and cannot be set to "AutoGenerate". The validation algorithm must also be the same. --> <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> </system.web> </configuration>

After a cookie has been issued, expiration of the cookie is tracked based on the Expires value in the cookie itself. This means that if two applications have different Timeout attributes, the expiration date and time that was set when each cookie was originally issued are retained throughout the lifetime of the cookie. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time the configuration Timeout value is used is when the cookie is initially created.

Tasks

Other Resources