If you use Forms authentication with version 1.0 of the .NET Framework, you should use separate cookie paths and names . If you do not do so, it is possible for a user authenticated in one application to make a request to another application without being redirected to that application's logon page. The URL authorization rules within the second application may deny access to the user , without providing the opportunity to supply logon credentials using the logon form.
To avoid this issue, use unique cookie path and name attributes on the <forms> element for each application, and also use separate machine keys for each application.
Version 1.1 of the .NET Framework supports the IsolateApps setting shown below.
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>
This ensures that each application on the machine uses a separate key for encryption and validation of Forms authentication cookies and view state.
With version 1.0 of the .NET Framework, you cannot use IsolateApps and you must manually generate <machineKey> elements. For more information about this issue, see the following articles in the Microsoft Knowledge Base.
313116, "PRB: Forms Authentication Requests Are Not Directed to loginUrl Page"
312906, "How To: Create Keys by Using Visual C# .NET for Use in Forms Authentication"