Sharing Forms Authentication between ASP.NET 1.1 and ASP.NET 2.0 Applications

As you start shifting from ASP.NET 1.1 to ASP.NET 2.0 development there may be instances where you want to be able to share Authentication cookies between different versions of your ASP.NET Web Sites.  Due to another subtle security changes made to Forms Authentication in ASP.NET 2.0 this will not work by default.  For example, if you set the protection attribute value in your ASP.NET applications <forms/> element to either “Encryption” or “All” then your ASP.NET 2.0 will not be able to use the ASP.NET 1.1 cookie and vice versa due to the increase protection level provided to cookies in ASP.NET 2.0.


In ASP.NET 1.1 cookies used Triple DES to encrypt the content of the cookies, whereas in ASP.NET 2.0 the default is now Advanced Encrypted Standards (AES).  Therefore to ensure backward compatibility the machine key element for an ASP.NET 2.0 application now has a decryption attribute which can be changed to 3DES instead of the default of AES.


Therefore, when your different versions of your ASP.NET applications are using the same machine key (as in a Web Farm scenario) and you set the ASP.NET 2.0 decryption attribute to 3DES this will provide you with backward compatibility and, thus, the ability to share Authentication cookies between different versions of your ASP.NET applications as illustrated below: 


Snippet of the machine config for an ASP.NET 1.1 Application:



decryptionKey='AF96F355CEC57EFD2F996515BF465DD399FAF7B806B2CD55' validation='SHA1'/>


Snippet of Web Config for an ASP.NET 2.0 Application with decryption attribute specified:





validation='SHA1' decryption='3DES' />