Home/ Questions/Q 9069855
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T17:32:16+00:00

I have two web applications that implements a asp.net membership provider. It is a

  • 0

I have two web applications that implements a asp.net membership provider.
It is a slightly modified membership provider (so it’s a custom membership provider) but I think that that is irrelevant for this post.

The application run in the same domain and I want to have cross authentication between them using cookies.(they run in app1.mydomain.com / app2.mydomain.com)

I’m using two applications implementing the same provider:

  • WebForms 3.5
  • MVC 4.5

In both applications I have the same sections configured in the webconfig: authentication, forms, machineKey, membership, roleManager.
They both use a custom Membership and role provider, which is the same for both apps.
They all reside inside the same domain.
Authentication in each application works well.

Problem:

  • In the 4.5 app, if you log in, and then go to the 3.5 app and you don’t get logged in
  • If you log into the 3.5 app, you are not logged into the 4.5 app
  • If you log into the 4.0 app, you are LOGGED out of the 3.5 app even if you were logged in before, and the same on the other way

Tests I’ve done:

  • I’ve set up a default MVC 4.0/4.5 site and a default Web Forms 4.0/4.5 site, and the cross domain cookies works perfect.
  • But when a set up a default MVC 4.0/4.5 site and a default Web Forms 3.5 site, the SSO doesn’t work.

It seems to be a framework incompatibility, or something has change between frameworks when it comes to creating or encrypting the cookie, seems the browser doesn’t send the cookie created by one site to the other.
On the other hand it works great for MVC and WebForms with 4.0/4.5.

These are the web.config sections of each of the applications:

MVC 4:

<authentication mode="Forms">
  <forms name="isep" loginUrl="~/Account/LogIn" timeout="20" protection="All" />
</authentication>

<machineKey compatibilityMode="Framework20SP2" validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" />

WebForms 3.5:

<authentication mode="Forms">
  <forms name="isep" loginUrl="login2.aspx" timeout="20" protection="All" />
</authentication>

<machineKey validationKey="85A2E75F1FFEEAC971928062F844F0AFAE876B422503FCF7F80C1B84683C323049ACCC02A47D54E2E98B0422D2E3EFF1B16B7E85E8359EF6ABC52974D0EB9AA7" decryptionKey="FCD4A55D93A720914FA40EEC9599BD81BECE1490EB232DB8DD649BBB0D565194" validation="SHA1" decryption="Auto" />

<authorization>
  <deny users="?"/>
</authorization>

Any clue about this?

Thanks!..

PnP

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Try setting the CompatabilityMode of the MachineKey element in the web.config, as detailed in the following answer:

    Upgrading to ASP.NET 4.5/MVC 4 forms authentication fails

    After update

    Set the domain attribute of the authentication\forms element to the following:

    <authentication mode="Forms">
  <forms domain=".somedomain.com" name="isep" loginUrl="~/Account/LogIn" timeout="20" protection="All" />
</authentication>

    Where somedomain is your primary domain.

    • 0