Forms Authentication Across Applications (edit)

How ASP.NET Security Works | Microsoft Docs

ASP.NET Security Architecture | Microsoft Docs

ASP.NET Security Data Flow | Microsoft Docs

Basic Security Practices for Web Applications | Microsoft Docs

Web Application Security at Run Time | Microsoft Docs

FormsAuthenticationModule Class (System.Web.Security) | Microsoft Docs

ASP.NET Machine Key Generator - developer Fusion (HAY) - what is ASPXAUTH cookie? - Stack Overflow (HAY)


Share Forms Authentication Ticket between multiple applications

Sharing Authentication Tickets Across Applications

Share authentication cookies among ASP.NET apps | Microsoft Docs

How to share authentication between multiple applications in ASP.NET - DotNET 4 Techies - Technical Blog for Developers

c# - Multiple .NET Applications Share Authentication - Stack Overflow

Forms Authentication Across Applications | Microsoft Docs

Any Forms Auth Changes in 4.5 (


Forms Authentication Provider | Microsoft Docs

Forms Authentication Across Applications | Microsoft Docs

Configuring an ASP.NET Application to Use Membership | Microsoft Docs

How to: Implement Simple Forms Authentication | Microsoft Docs

Use ASP.NET forms-based authentication - ASP.NET | Microsoft Docs

ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.

To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.


Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.

  • ASP.NET Forms Authentication
  • ASP.NET Membership
  • MembershipProvider > SqlMembershipProvider
  • Forms Authentication Tickets
  • Protect Authentication Tickets with SSL
  • Do Not Persist Forms Authentication Cookies
  • Use Distinct Cookie Names and Paths
  • Keep Authentication and Personalization Cookies Separate
  • Use Absolute URLs for Navigation
  • Determining Whether a Browser Accepts Cookies

Solution to share authentication between multiple applications: 

  • machineKey
  • domain=""
  • enableCrossAppRedirects= true

Machine Key

How To: Configure MachineKey in ASP.NET 2.0 | Microsoft Docs

Setting up a machine key - Orchard Documentation (

SqlMembershipProvider Class (System.Web.Security) | Microsoft Docs

How to: Implement Simple Forms Authentication | Microsoft Docs

How To: Use Forms Authentication with SQL Server in ASP.NET 2.0 | Microsoft Docs

How To: Protect From Injection Attacks in ASP.NET | Microsoft Docs

Security Considerations

Failing to protect authentication tickets is a common vulnerability that can lead to unauthorized spoofing and impersonation, session hijacking, and elevation of privilege. When you use forms authentication, consider the following recommendations to help ensure a secure authentication approach:

  • Restrict the authentication cookie to HTTPS connections. To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use Secure Sockets Layer (SSL) with all pages that require authenticated access and restrict forms authentication tickets to SSL channels.
  • Partition the site for SSL. This allows you to avoid using SSL for the entire site.
  • Do not persist forms authentication cookies. Do not persist authentication cookies because they are stored in the user's profile on the client computer and can be stolen if an attacker gets physical access to the user's computer
  • Consider reducing ticket lifetime. Consider reducing the cookie lifetime to reduce the time window in which an attacker can use a captured cookie to gain access to your application with a spoofed identity.
  • Consider using a fixed expiration. In scenarios where you cannot use SSL, consider setting slidingExpiration="false".
  • Enforce strong user management policies. Use and enforce strong passwords for all user accounts to ensure that people cannot guess one another's passwords and to mitigate the risk posed by dictionary attacks.
  • Enforce password complexity rules. Validate passwords entered through the CreateUserWizard control, by setting its PasswordRegularExpression property to an appropriate regular expression. Also configure the membership provider on the server to use the same regular expression.
  • Perform effective data validation on all requests. Perform strict data validation to minimize the possibilities of SQL injection and cross-site scripting.
  • Use distinct cookie names and paths. By ensuring unique cookie names and paths, you prevent possible problems that can occur when hosting multiple applications on the same server.
  • Keep authentication and personalization cookies separate. Keep personalization cookies that contain user-specific preferences and non-sensitive data separate from authentication cookies.
  • Use absolute URLs for navigation. This is to avoid potential issues caused by redirecting from HTTP to HTTPS pages.

AspNetMembership Samples

ASP.NET Membership and Role Provider - CodeProject (HAY)

Setting up a machine key - Orchard Documentation (

Redirecting to custom 401 page when "Access denied" occures within an ASP.NET application with Windows authentication - CodeProject (HAY)

HTTP Error 401.0 - Unauthorized You do not have permission to view this directory or page | The ASP.NET Forums

HTTP Error 401.0 - Unauthorized | The ASP.NET Forums

Application Root Directory Configuration File (Web.config) | Microsoft Docs

AddUser Directory Configuration File (Web.config) | Microsoft Docs


icacls C:\inetpub\wwwroot\mysite\ /grant "IIS APPPOOL\DEFAULTAPPPOOL":(CI)(OI)(M)







Security Basics and ASP.NET Support (C#)

Security Basics and ASP.NET Support (C#) | Microsoft Docs

Google Search Code

C# Corner - Community of Software and Data Developers (

Dot Net Tricks : Unlimited Live Training, Prepare for Interviews, and Get Hired

ASPSnippets: Code Snippets, Tutorials, Articles, Tips on ASP.Net SQL Server, Windows, C#, VB.Net, AJAX, jQuery, AngularJS and MVC

Microservices Online + Azure Online Training

Microsoft Azure Certification Training | Azure Online Training (

Best Microservices Online Training | Microservices Certification (

Custom Authentication and Authorization in ASP.NET MVC

Custom Authentication With ASP.NET MVC (

Custom Authentication and Authorization in ASP.NET MVC (

Using Forms Authentication in ASP.NET MVC Applications (

ASP.NET MVC 5: Building Your First Web Application - Part 1 - CodeProject

Authentication and Authorization in MVC - Dot Net Tutorials

FormsAuthentication in ASP.NET MVC - Dot Net Tutorials

Role-Based Authentication in MVC - Dot Net Tutorials

Role Based Menus in MVC Application - Dot Net Tutorials


Cookie-Based Authentication Scenarios