JavaScript Editor jscript editor     Web designer 

Main Page

ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.

Configuring Forms Authentication Across Applications

To configure forms authentication across applications, you set several attributes in the forms and machineKey configuration sections so that the values are the same for all applications participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, and decryptionKey attributes must be identical across all applications. Similarly, the encryption and validation keys and the encryption scheme used for cookie data must be exactly the same. If the settings do not match, cookies cannot be shared.

В CopyCode imageCopy Code
    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        timeout="30" />

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation algorithm must also 
         be the same. -->
        validation="SHA1" />

After a cookie has been issued, expiration of the cookie is tracked based on the Expires value in the cookie itself. This means that if two applications have different Timeout attributes, the expiration date and time that was set when each cookie was originally issued are retained throughout the lifetime of the cookie. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time the configuration Timeout value is used is when the cookie is initially created.

See Also

JavaScript Editor jscript editor     Web designer