Submit Logon form to ASP.NET MVC 2 app from MVC 3 child app - anti-forgery token invalid

I have a parent ASP.NET MVC 2 application at /localhost/app (running in IIS on my dev machine). I can log into this fine from /localhost/app/Account/LogOn. I have a child app (MVC 3) at /localhost/app/childapp. Both apps' web.config have the same machineKey (validationKey/decryptionKey), and if i logon via the parent app, the child app correctly authenticates via the cookie set by the parent app.

What I want is to be able to go to the child app's logon page /localhost/app/childapp/Account/LogOn and post that page to the parent app's logon account controller. However, when I try this, the parent app gives me a server error "A required anti-forgery token was not supplied or was invalid." Given that I have a RequestVerificationToken in both cookie and post, it should be the latter (invalid, vs. not supplied).

Is this just the anti-forgery token doing it's thing, and I can't use that token and开发者_JAVA百科 post across applications despite sharing the authentication cookie? Or is there a way to make this work? Many thanks!

You could try specifying the domain and path when generating the antiforgery token which will allow the cookie to be automatically sent to the child application:

@Html.AntiForgeryToken(null, "example.com", "/")

Also try inspecting with FireBug the request being sent and see if the cookie is being sent to the child application and if it has the same value as the hidden field.