Looking at the reflector, there is a (somewhat undocumented) function of the Authentication forms. When EnableCrossAppRedirects enabled, .NET, in addition to searching for a cookie, attempts to extract a cookie to authenticate forms from a form message or query string. This code is embedded in the FormsAuthentication class in the ExtractTicketFromCookie method, where you could explicitly see it while trying to find the authentication cookie in the request data.
if (FormsAuthentication.EnableCrossAppRedirects) { text = context.Request.QueryString[name]; if (text != null && text.Length > 1) { if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); } try { formsAuthenticationTicket = FormsAuthentication.Decrypt(text); } catch { flag2 = true; } if (formsAuthenticationTicket == null) { flag2 = true; } } if (formsAuthenticationTicket == null || formsAuthenticationTicket.Expired) { text = context.Request.Form[name]; if (text != null && text.Length > 1) { if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); } try { formsAuthenticationTicket = FormsAuthentication.Decrypt(text); } catch { flag2 = true; } if (formsAuthenticationTicket == null) { flag2 = true; } } } }
Therefore, if you activate EnableCrossAppRedirects in both applications, the first application has the right to redirect to the external site, and the second application will be automatically read in the authentication cookie from the request. You just need to design it so that the login URL downloads cookies or queues them. You must also be sure that either the machine keys are synchronized or that the cookie is encrypted using the machine key of the external applications (for the first application). Apparently, by default, .NET will send an encrypted authentication cookie to the query string and if your machine keys are synchronized (see the quote from MSDN below).
Here is more information about MSDN .
If the CookiesSupported property is true, and either the ReturnUrl variable is in the current application or the EnableCrossAppRedirects property is true, then the RedirectFromLoginPage method issues an authentication ticket and places it in the default cookie using the SetAuthCookie method.
If CookiesSupported is false and the redirect path is the URL to the current application, the ticket is issued as part of the redirect URL. If CookiesSupported is false, EnableCrossAppRedirects is true, and the redirect URL does not refer to a page in the current application, the RedirectFromLoginPage method returns an identification ticket and puts it in the QueryString property .
There is a big warning about the impact on safety. EnableCrossAppRedirects is a security setting that prevents ASP.NET controls from being redirected to an external return URL (another web application). If this option is enabled, it can be used in some forms of attack - the user is sent to the official login page, but when they log in, they are redirected to another application, which, in their opinion, is the same. This is why it is disabled by default.
One way to reduce this when you enable the function:
To increase security when using cross-application redirection, you should override the RedirectFromLoginPage method to allow redirection only on approved websites.
You also need to ensure that the redirect request is sent over SSL to protect the cookie in transit, as any interceptor could gain control of the account.