first you need the two site to use a common domain (site1.mydomain.com, site2.mydomain.com or mydomain.com/site1, mydomain.com/site2.
second you will to update the webform legacy app to use owin middleware and authentication. configure to use the Microsoft.Owin.Security.Interop
. then you configure both site to use a common data protection key store location.
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-8.0
Your other option, is to pick an oauth SSO server, and configure both sites for oauth support (asp.net 4.8 will again require owin middleware).