ASP.NET Forms Authentication between Applications with different form credentials

Question

I have an application running ASP.NET on 3.0 framework that uses form authentication. I am now building and MVC 4 application that also uses forms authentication and I would like to share authentication between the two apps. I have both config files matching for the auth tag and exact machine key tags. I think my problem is that the ASP.NET application uses the old ASP membership provider which has the user passwords in MD5 format, and the MVC application is using simple membership, password format SHA1.

Is there a way to share user authentication between the two apps even with different credentials(password formats)?

For the main app that authenticates in the forms tag I have this

<credentials passwordFormat="MD5"/>

I am not really sure if this is my issue or what's going on.

Answer 1

Well figured out my answer. All I had to do was add in the tag was the attribute compatibilityMode="Framework20SP2".

This was due to the fact my ASP.NET app was running on the older framework and my new MVC app was on framework 4.0

Answer 2

Your options are pretty much:

1. Write your own ASP.Net 2.0 MembershipProvider to use the PBKDF2 algorithm to store passwords (Resetting everyone's passwords will be required).

2. You don't get to override SimpleMembershipProviders storage of passwords (that I know of) so you'll have to writing your own ExtendedMembershipProvider to duplicate the ASP.Net 2.0 security mechanisms in the default MembershipProvider.

As a side note, MD5 is (in my opinion) a terrible algorithm to store passwords. At this point from what I've read bcrypt or PBKDF2 is recommended by most security experts.

If you're interested on the changes Microsoft made to increase security in .Net releases the article Stronger Password Hashing in .NET with Microsoft's Universal Providers is a good read.