Forms authentication across multiple applications and framework versions

Discussion in 'ASP .Net' started by JC, Nov 5, 2003.

  1. JC

    JC Guest

    I have several applications that use forms authentication and they are
    currently setup to use a single login page. Everything works fine under v1.0
    of the framework and everything works fine if I have all applications
    running under v1.1.

    However, I need the login page and a few apps to be running under using v1.0
    with other applications running under v1.1. Now my authentication cookie is
    no longer being accepted anywhere other than by the v1.0 applications. The
    path, name, and protection attributes for <forms> are identical in all
    application. I've tried using an explicit <machinekey> and removing the
    "isolateapps" attribute in the v1.1 machine.configs. Am I missing anything
    else? I just consently get redirected back to the login page. Any help
    would be appreciated thanks.

    Here is what my web.config looks like in all applications.
    <authentication mode="Forms">
    <forms loginUrl="/Login/login.aspx"
    name="appname"
    protection="All"
    path="/">
    </forms>
    </authentication>

    I've tried using both:
    <machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"
    validation="SHA1"/>

    and explicitly defining the key in all apps.

    <machineKey
    validationKey='470D7418106FE78774FB509A10A94BB9839567B38C0A91CBFE0241C3647F0
    1E8B12FBA2EC0AB5C0B947260D12AD85B34085C91659A5802AF006D027B1F0A117D'
    decryptionKey='3A6FF62768FAEA2213FB64703827ED533B6CAB6AED3A1550'
    validation='SHA1'/>
     
    JC, Nov 5, 2003
    #1
    1. Advertising

  2. JC

    psb Guest

    I have experienced same thing... I believe it is a security hole in 1.0 that
    microsoft closed. we do almost the same thing you are talking about. my
    co-worker and i debugged for days until he said, I did install this new
    application... well, the new application installed .netF1.1 and when we
    uninstalled it he was working again. I have yet to upgrade all of our apps
    to 1.1 until I figure out a solution. I swear I read it somewhere either on
    msdn or gotdotnet.com about this security tightening in forms authentication
    between projects/virtual directories... -p

    "JC" <> wrote in message
    news:OFuTl%23%...
    > I have several applications that use forms authentication and they are
    > currently setup to use a single login page. Everything works fine under

    v1.0
    > of the framework and everything works fine if I have all applications
    > running under v1.1.
    >
    > However, I need the login page and a few apps to be running under using

    v1.0
    > with other applications running under v1.1. Now my authentication cookie

    is
    > no longer being accepted anywhere other than by the v1.0 applications. The
    > path, name, and protection attributes for <forms> are identical in all
    > application. I've tried using an explicit <machinekey> and removing the
    > "isolateapps" attribute in the v1.1 machine.configs. Am I missing anything
    > else? I just consently get redirected back to the login page. Any help
    > would be appreciated thanks.
    >
    > Here is what my web.config looks like in all applications.
    > <authentication mode="Forms">
    > <forms loginUrl="/Login/login.aspx"
    > name="appname"
    > protection="All"
    > path="/">
    > </forms>
    > </authentication>
    >
    > I've tried using both:
    > <machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"
    > validation="SHA1"/>
    >
    > and explicitly defining the key in all apps.
    >
    > <machineKey
    >

    validationKey='470D7418106FE78774FB509A10A94BB9839567B38C0A91CBFE0241C3647F0
    > 1E8B12FBA2EC0AB5C0B947260D12AD85B34085C91659A5802AF006D027B1F0A117D'
    > decryptionKey='3A6FF62768FAEA2213FB64703827ED533B6CAB6AED3A1550'
    > validation='SHA1'/>
    >
    >
     
    psb, Nov 5, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. cab0san
    Replies:
    1
    Views:
    428
    cab0san
    Feb 14, 2005
  2. Jéjé
    Replies:
    1
    Views:
    473
    =?Utf-8?B?Q293Ym95IChHcmVnb3J5IEEuIEJlYW1lcikgLSBN
    Oct 20, 2005
  3. =?Utf-8?B?RmFyaWJh?=

    Forms Authentication Across Applications

    =?Utf-8?B?RmFyaWJh?=, May 16, 2007, in forum: ASP .Net
    Replies:
    4
    Views:
    397
    =?Utf-8?B?RmFyaWJh?=
    May 16, 2007
  4. Janaka

    Forms Authentication across applications

    Janaka, May 10, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    207
    Janaka
    May 10, 2004
  5. Roel
    Replies:
    5
    Views:
    497
    Dominick Baier [DevelopMentor]
    Nov 25, 2005
Loading...

Share This Page