TL DR: Assuming both applications use the same top level domain, you can share the authentication cookie. Set the domain in the cookie and share any keys necessary to decrypt it between applications.
Here I assume that you are using FormsAuthentication.
1) Add the domain attribute to the authentication/forms section:
<authentication mode="Forms"> <forms loginUrl="~/account/login" timeout="2880" defaultUrl="~/" slidingExpiration="true" protection="All" domain=".yourdomain.tld" name="YOUR_COOKIE_NAME" />
Pay attention to the main period in the domain.
2) In order for both applications to decrypt the cookie, you need to add machineKey for both and use the same verification and encryption keys:
<machinekey compatibilitymode="Framework45" validation="HMACSHA256" validationkey="YOURVALIDATIONKEYHERE" decryption="AES" decryptionkey="YOURDECRYPTIONKEYHERE" />
You can use the machine key tool in IIS Manager (provided that you have access to the web server) or some other tool receives valid keys. If you need a suggestion, I created an application in which you can use it here that refers to the Github project if you want to generate your own keys.
For completeness:
Here is the class that will generate the valid keys:
public class KeyGenerator { public string GenerateKey(int length, bool useUpperCase = true) { byte[] buffer = new byte[length]; var randomNumberGenerator = new RNGCryptoServiceProvider(); randomNumberGenerator.GetBytes(buffer); return ToHexString(buffer, true); } private static string ToHexString(byte[] bytes, bool useUpperCase = false) { var hex = string.Concat(bytes.Select(b => b.ToString(useUpperCase ? "X2" : "x2"))); return hex; } }
And you will use something like this to get the keys:
var generator = new KeyGenerator(); string validationKey = generator.GenerateKey(64); string decryptionKey = generator.GenerateKey(32);