There seems to be parts of the answers to my problem spread over multiple posts but putting it together hasn't worked so far for me, so I hope when this post is answered it will form more complete guide

The problem

I have an ASP.NET webforms application (W1) and I would like to begin an upgrade to a separate MVC application (M1) over a period of time. The solution containing W1 has been upgraded to 4.5 and M1 has been created in the solution. W1 uses the ASP.Net membership framework.

The test case

In M1, I added the Authorize attribute to the About page in the HomeController

[Authorize] public ActionResult About()

I added a link to the about page in M1, originating from a page in W1 that requires the user to be logged in.

The expectation

I expect a user to be able to log into W1, click the link to the M1 about page and be automatically logged in to M1.

The configuration

I have extracted the validationKey and decryptionKey from W1 using the method outlined here. Although this seems like a logical step I am not sure it is required as different keys still allow for a user to log in to W1.

Following the information here and here, and after considerable debugging I have modified sections of the Web.config files for the projects as follows;

For W1:

<system.web>  
    <authentication mode="Forms">
          <forms name="WRSAUTH"
                 loginUrl="~/Account/Login.aspx"
                 defaultUrl="Default.aspx"
                 protection="All"
                 timeout="60"
                 path="/"
                 domain=".localhost"
                 requireSSL="false"
                 slidingExpiration="true"
                 cookieless="UseCookies"
                 enableCrossAppRedirects="false" />
        </authentication>
        <machineKey validationKey="<ValidationKey>"
                    decryptionKey="<DecryptionKey>"
                    validation="SHA1"
                    decryption="AES"/>
<compilation debug="true" targetFramework="4.5">
     <httpRuntime maxRequestLength="12288" />
</system.web>

For M1:

  <system.web>
    <authentication mode="Forms">
      <forms name="WRSAUTH" 
             loginUrl="~/Account/Login" 
             defaultUrl="~/" 
             protection="All" 
             timeout="60" 
             path="/" 
             domain=".localhost" 
             requireSSL="false"           
             slidingExpiration="true"
             cookieless="UseCookies" 
             enableCrossAppRedirects="false"/>
    </authentication>
    <machineKey validationKey="<ValidationKey>" 
                decryptionKey="<DecryptionKey>" 
                validation="SHA1" 
                decryption="AES"/>
    <compilation debug="true" targetFramework="4.5"/>
    <httpRuntime targetFramework="4.5"/>
  </system.web>
  <system.webServer>
    <modules>
      <!--<remove name="FormsAuthentication"/>-->
    </modules>
  </system.webServer>

Current Status

When clicking on the link in W1 which targets the M1 about page, the user is not authorized and is presented with the log in screen.

Is there something I am missing in the configuration?

Finally got this to work!

1) Does not work locally with localhost or .localhost set as the domain

2) In W1, needed to add the attribute targetFramework="4.5" to httpRuntime

3) In W1, needed to add <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" /> within the AppSettings node (tag)

Hope the time I spent posting this question and answer helps someone. I found pieces of this solution across many posts, but this brings them all together.