ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.
Configuring Forms Authentication Across Applications
To configure forms authentication across applications, you set several attributes in the and configuration sections so that the values are the same for all applications participating in shared forms authentication.
The following example shows the section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, and decryptionKey attributes must be identical across all applications. Similarly, the encryption and validation keys and the encryption scheme used for cookie data must be exactly the same. If the settings do not match, cookies cannot be shared.
<configuration> <system.web> <authentication mode="Forms" > <!-- The name, protection, and path attributes must match exactly in each Web.config file. --> <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" protection="All" path="/" timeout="30" /> </authentication> <!-- Validation and decryption keys must exactly match and cannot be set to "AutoGenerate". The validation algorithm must also be the same. --> <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> </system.web> </configuration>
After a cookie has been issued, expiration of the cookie is tracked based on the value in the cookie itself. This means that if two applications have different attributes, the expiration date and time that was set when each cookie was originally issued are retained throughout the lifetime of the cookie. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time the configuration Timeout value is used is when the cookie is initially created.