I am trying to share forms auth from a root application to a sub application running in a virtual directory. I am having trouble with authentication in the subsite.
In the parent application everything works as expected.
I have the following setup:
Parent application:
- URL:
http://localhost:1336/
<forms loginUrl="~/account/sign-in" protection="All" timeout="30" name=".MYAPPLICATION" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects="true" defaultUrl="/" />
Virtual Directory:
- URL:
http://localhost:1336/subsite
<forms loginUrl="/account/sign-in" protection="All" timeout="30" name=".MYAPPLICATION" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects="true" defaultUrl="/" />
When i try to a http://localhost:1336/subsite
I get the following flow:
- GET for
http://localhost:1336/subsite
-> 302 to /account/sign-in?ReturnUrl=%2fsubsite (looks ok) - Enter User/password
- POST to
http://localhost:1336/account/sign-in?ReturnUrl=%2fsubsite
-> 302 /subsite (great the auth looks like its successful) - GET for
http://localhost:1336/subsite
-> 302 to /account/sign-in?ReturnUrl=%2fsubsite (IE the subsite doesnt think its authenticated)
Also i can see the cookie in the list in my browser (so its actually there)
What have I got wrong in my config that's stopping my subsite from sharing the parent cookie?
I am running this on IISExpress
In your web.config files, set a common machine key between the projects so that the 2 domains share validation and decryption keys.
example: