The security warning you saw about the "EnableCrossAppRedirects" setting is
due to the consideration of some potential malicious sites(unexpected
sites) who will send redirection to your page. Actually, the
"EnableCrossAppRedirects" will be only checked when you call
"FormsAuthentication.RedirectFromLoginPage" or "GetRedirectUrl" methods(if
not enable, you can not use the two methods to redirect to/or get redirect
path of other remote application).
Therefore, you can actually disable this setting if you do not have to call
the above two methods. For example, you can let your cross application
always pass a certain security identifier in the querystring when redirect
unauthenticated users to the login application's login.aspx. Thus, the
login page can use the querystring value(or from cookie). And after
authenticated the user, you can simply call
"FormsAuthentication.SetAuthCookie" to set the authentication ticket and
manually use Response.Redirect to forward the user to the original
site(suppose there are only limited applications that can share the same
central login application)
here are some other resources on configuring machine key and cross
application forms authentication:
#How To: Configure MachineKey in ASP.NET 2.0
#Single sign-on across multiple applications in ASP.NET
Hope also helps some.
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.