While scanning for interesting MOSS stuff on the net I stumbled across this little gem. Old news for sure, but a topic that had kept me awake at night some time ago. By fixing up the encryption and decryption key of the cookie values, one can share quite easily the same cookies across different apps and even subdomains. This allows for smooth Single-Sign-On style behaviour across multiple apps, even v1.1 and v2.0 apps, as you can also share the forms authentication cookie. Because Browsers only send the cookies based on domain, this will not work for cross domain requests (sub domains are ok). For cross domain scenarios a passport like structure will be needed with one cenrtal authentication service doing the work.