Share via

Forms Authentication Across Applications

ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.

Configuring Forms Authentication Across Applications

To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation key values and the encryption scheme and validation scheme used for authentication tickets (cookie data) must be the same. If the settings do not match, authentication tickets cannot be shared. For information about how to generate values for the validationKey and decryptionKey attributes, see How To: Configure MachineKey in ASP.NET 2.0. (This topic applies to ASP.NET version 2.0 and to later versions.)


Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.

    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        timeout="30" />

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
      validationKey="[your key here]" 
      decryptionKey="[your key here]" 
      validation="SHA1" />


You can omit the domain attribute of the forms tag if there is only one Web site on the server.

After an authentication ticket (cookie) has been issued, expiration of the cookie is tracked based on the Expires value in the cookie itself. If two applications have different Timeout attributes, the expiration date and original timestamp are retained through each cookie's lifetime. When a cookie is updated, the cookie's original expiration is used to compute the new expiration. The only time that the configuration Timeout value is used is when the cookie is initially created.

Forms Authentication and the Authentication Service

You can also authenticate users across applications by using the authentication service. The authentication service enables you to use forms authentication from any application that can send and consume messages in SOAP format. For more information, see Windows Communication Foundation Authentication Service Overview.

See Also


How to: Implement Simple Forms Authentication

Other Resources

ASP.NET Web Application Security

Change History




July 2009

Added a link to a topic that explains how to generate key values.

Customer feedback.

April 2009

Added domain attribute and a note about it.

Customer feedback.