Forms Authentication Issues

If you use Forms authentication with version 1.0 of the .NET Framework, you should use separate cookie paths and names . If you do not do so, it is possible for a user authenticated in one application to make a request to another application without being redirected to that application's logon page. The URL authorization rules within the second application may deny access to the user , without providing the opportunity to supply logon credentials using the logon form.

To avoid this issue, use unique cookie path and name attributes on the <forms> element for each application, and also use separate machine keys for each application.

Version 1.1 of the .NET Framework supports the IsolateApps setting shown below.

 <machineKey validationKey="AutoGenerate,IsolateApps"             decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/> 

This ensures that each application on the machine uses a separate key for encryption and validation of Forms authentication cookies and view state.

With version 1.0 of the .NET Framework, you cannot use IsolateApps and you must manually generate <machineKey> elements. For more information about this issue, see the following articles in the Microsoft Knowledge Base.

• 313116, "PRB: Forms Authentication Requests Are Not Directed to loginUrl Page"

• 312906, "How To: Create Keys by Using Visual C# .NET for Use in Forms Authentication"