I am developing two separate MVC apps. For both I have implemented OWIN... something like this:
var identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
this.AuthenticationManager.SignIn(new AuthenticationProperties
{
AllowRefresh = true,
IsPersistent = rememberMe,
ExpiresUtc = DateTime.UtcNow.AddDays(7)
}, identity);
My issue: If I login to APP1 and then I go to APP2, I am automatically logged in on APP2.
Does your web.config file in each project have an explicitly defined <machinekey>?
I.e.
<machineKey decryptionKey="[some value]" validationKey="[some value]" />
If both sites are on the same domain (website1.domain.com , website2.domain.com), the cookie will persist, and an attempt to decrypt will be made. So if both config files have the key defined and are the same, it will assume authentication.
This depends on how you have your authentication defined though, and may not be the case.