Can an ASP.NET 4.0 application within an ASP.NET 2.0 site use the same Forms Authentication cookie?

Question

See update at bottom of question

I have an ASP.NET 2.0 web application (say https://mysite.somedomain.com/) which uses forms authentication. I wish to integrate an ASP.NET 4.0 web app within this site, based at https://mysite.somedomain.com/NewApp/. Forms Auth is working on the outer app, but the inner app is rejecting the cookie.

web.config on the outer (ASP.NET 2.0) web app contains:

<httpCookies requireSSL="true"/>
<authentication mode="Forms">
    <forms name="MySiteWebAuth" loginUrl="/Login.aspx" protection="All" 
           path="/" timeout="90" requireSSL="true" slidingExpiration="true"/>  
</authentication>
<machineKey (same machine key is in both configs)  
    validation="SHA1"
    decryption="AES"/>
<authorization>
  <deny users="?"/>
  <allow users="*" />
</authorization>

web.config on the inner (ASP.NET 4.0) web app contains:

<authentication mode="Forms">
    <forms name="MySiteWebAuth" loginUrl="/Login.aspx" protection="All" 
           path="/" timeout="90" requireSSL="true" slidingExpiration="true"
           ticketCompatibilityMode="Framework20"/>  
</authentication>
<machineKey (same machine key is in both configs)  
    validation="SHA1"
    decryption="AES"/>

This is the code in Login.aspx.cs that sets the cookie on successful authentication:

FormsAuthenticationTicket ticket = 
    new FormsAuthenticationTicket(
        1, 
        ApplicationContext.User.Identity.Name, 
        DateTime.Now, 
        DateTime.Now.AddMinutes(90), 
        false, 
        ApplicationContext.User.Identity.SessionID.ToString()
    );
HttpCookie cookie = 
   new HttpCookie(
       FormsAuthentication.FormsCookieName, 
       FormsAuthentication.Encrypt(ticket)
   );

cookie.Path = FormsAuthentication.FormsCookiePath;
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);

If I log into the outer web app, then navigate to a page within the inner web app, it does a redirect to the login page and writes Forms authentication failed for the request. Reason: The ticket supplied was invalid. to the event log on the server.

How do I get the ASP.NET 2.0 Forms Auth ticket to be accepted by the inner ASP.NET 4.0 web app?

Update: It works under HTTPS IIS 7.5, but not under HTTPS IIS 7.0. Doing some more investigation.

Update 2: We have applied Server 2008 SP2 to the server along with the recent patch for the hash-collision DoS and since then the cookie sharing has worked.

Answer 1

In addition to keeping nearly all of the aforementioned values the same, you'll need to set the machineKey element's compatibilityMode attribute in the 4.0 application's configuration file:

<machineKey compatibilityMode="Framework20SP2" validationKey="THE_KEY" decryptionKey="ANOTHER_KEY" validation="SHA1" />

Answer 2

I'm assuming you read this - http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx - perhaps remove the ticketCompatibilityMode attribute from your 4.0 app, or at least make sure they're the same.