This article was previously published under Q313116
When you use forms authentication, requests are not redirected to the page that is specified in the loginUrl attribute.
This problem occurs when more than one application on a server uses forms authentication and these configuration settings are identical:
Identical Cookie Names
Forms authentication primarily works off of the authentication cookie. An authentication cookie is placed in the HttpResponse.Cookies collection once a user is authenticated. When a request comes in, forms authentication retrieves the authentication cookie from the HttpRequest.Cookies collection.
If a valid cookie is not present, the user is redirected to the page that is specified in the loginUrl attribute. If a valid cookie is present, forms authentication considers the user authenticated.
The name attribute of the <forms> element in the .config files determines the name of the authentication cookie. By default, the name of the cookie is .ASPXAUTH. Therefore, if multiple applications on the same Web server use the name "authCookie" for the authentication cookie, a request that was authenticated in one application is considered authenticated in another application because the request contains a cookie named authCookie.
Identical Cookie Paths
Forms authentication primarily works off of the authentication cookie. The path attribute of the <forms> element determines which application the authentication cookie can be sent to on the Web server. The default value of the path attribute is a forward slash (/) so that the cookie can be sent to every application on the Web site.
Therefore, if multiple applications on the same Web site use the forward slash for the path of the authentication cookie, when a request is sent from one application to another application, the authentication cookie is sent to the other application.
The <machineKey> element controls the encryption, the decryption, and the validation of the authentication cookie. The default configuration for the element is as follows:
If multiple applications use identical, explicit values for the <machineKey> element, an authentication cookie that is sent from one application is decrypted by another application successfully.
To resolve this problem, make sure that at least one of the three configuration settings (cookie name, cookie path, and key) is different for each application that uses forms authentication.
Different Cookie Names
If you use different cookie names for each application, you ensure that forms authentication only retrieves a cookie according to the name that is configured for that application.
Application1 uses the name authCookie1.
Application2 uses the name authCookie2.
A request is made to Application2.
Forms authentication tries to retrieve authCookie2 from the HttpRequest.Cookies collection, even though the authCookie1 cookie exists.
When forms authentication does not find an authentication cookie with the name authCookie2, the user is redirected to the page that is specified in the loginUrl attribute for Application2.
Different Cookie Paths
If you use a different cookie path, you ensure that the authentication cookie is sent only to the application in which the cookie originated.
Application1 uses the path /application1.
Application2 uses the path /application2.
Forms authentication authenticates to Application1.
A request is made to Application2. The browser does not send the authentication cookie from Application1 to Application2 because the cookie can be sent only to Application1.
NOTE: The path attribute is case sensitive. Therefore, if the you set the value of the path attribute to /application1, and if the application name is Application1, the authentication cookie path is /application1.
When the user is authenticated and redirected, the browser does not send the cookie with the /application1 path to the Application1 application. Essentially, the authentication cookie is not part of the HttpRequest.Cookies collection. As a result, the user is redirected to the page that is specified in the loginUrl attribute, even after authentication.
Microsoft recommends that you confine forms authentication cookies to areas of the site that are protected by Secure Sockets Layer (SSL) encryption.
If different applications use different, explicit values for the <machineKey> element, the encryption, the decryption, or the validation of the authentication cookie fails. As a result, the user is redirected to the page that is specified in the loginUrl attribute for the application.
NOTE: Even in identical configurations, authorization rules still apply. In the examples to follow, if User1 is authenticated in Application1 and makes a request to Application2, the request is authenticated. However, because User1 is not one of the allowed users in the <authorization> section, the request is not authorized and is denied.