Forms Authentication Fails Between ASP.NET 1.0 and 1.1 Applications (Cookie Decryption Fails)

11-13-2003

I have an existing ASP.NET 1.0 application at the root of a web site. There
is another 1.0 application in a virtual directory under the root. Forms
Authentication works fine between the two.

When the script maps in the sub-application are changed to use ASP.NET 1.1,
Forms Authentication breaks. In particular, the Forms Authentication cookie
no longer decrypts, so that the AuthenticateRequest handler finds
Request.IsAuthenticated == false. No other changes are made to the
sub-application, which was not recompiled for Framework 1.1, and resetting
the script maps to use ASP.NET 1.0 restores full functionality.

Setting both the root application and the sub-application to use ASP.NET 1.1
also allows the cookie to be decrypted properly.

Both applications have an explicit <machineKey> element in their web.config
files.

We are not ready to upgrade all of our applications to use ASP.NET 1.1. Does
anyone have a solution for this, or any ideas of where I should go from
here?

Thanks,
John Saunders

11-18-2003

Wow! No clues anyone? Can anyone else reproduce this?

--
John

"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:...
> I have an existing ASP.NET 1.0 application at the root of a web site.
There
> is another 1.0 application in a virtual directory under the root. Forms
> Authentication works fine between the two.
>
> When the script maps in the sub-application are changed to use ASP.NET
1.1,
> Forms Authentication breaks. In particular, the Forms Authentication
cookie
> no longer decrypts, so that the AuthenticateRequest handler finds
> Request.IsAuthenticated == false. No other changes are made to the
> sub-application, which was not recompiled for Framework 1.1, and resetting
> the script maps to use ASP.NET 1.0 restores full functionality.
>
> Setting both the root application and the sub-application to use ASP.NET
1.1
> also allows the cookie to be decrypted properly.
>
> Both applications have an explicit <machineKey> element in their
web.config
> files.
>
> We are not ready to upgrade all of our applications to use ASP.NET 1.1.
Does
> anyone have a solution for this, or any ideas of where I should go from
> here?
>
> Thanks,
> John Saunders
>
>
>
>

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment)	JEFF	ASP .Net	1	11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie	Eric	ASP .Net Security	2	01-27-2006 10:09 PM
Difference between Python CGI applications and Php applications	praba kar	Python	2	05-04-2005 06:49 PM
Forms Authentication between web applications on the same server	jacob	ASP .Net Security	0	04-01-2004 10:23 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication	Eric	ASP .Net	2	02-13-2004 02:14 PM