3

We have our production website in .net and a third party web app that runs as a virtual application from the website. I have been tasked with maintaining the session time out between the website and the third party app. i.e. as long as the user is active on the third party app, the session stays alive so when they go back to the website even if it is after the 20 minute expiration, their session is still active. We're using forms authentication in both the website and the app for session management and from what I've read I should be able to do this through settings in the web config. I have updated the authentication section of both webconfig files with

basically I am working with www.mydomain.com and www.mydomain.com/app/

    <authentication mode="Forms">
        <forms
           name=".ASPXFORMSAUTH"
           loginUrl="home.aspx"
           enableCrossAppRedirects="true"
           slidingExpiration="true"
           path="/"
           domain=".infinedi.net">
        </forms>

    </authentication>
    <machineKey
          validationKey="BDEA0BE471E4E2C24E5A9552AF232C3E7BF584DBEEAA1262CEE78CB5126FBBBE9E8007DB5ED8357FEE5C2C5B6FF3FC7D34C7CEA54DE3790560FCDEBF44415804"
          decryptionKey="2E31C984223964655C203E3A91AF139B1AE0A964F1475E204E6AACE62840EAB0"
          validation="SHA1"
          decryption="AES"
          />

but this didn't do the trick. When watching with fiddler I can see that as soon as i go in to the third party app, I get a new .ASPXFORMSAUTH session which I suspect is why the website session times out. Is doing this through the webconfig even possible or is there a different direction I should be going?

Brian
  • 2,229
  • 17
  • 24
  • You get a new session because you are on a new website. If you were to go back to the original website and send the original session id you _should_ have access to your session for as long as you have it configured. – Joshua Drake May 09 '12 at 20:24
  • Also your title focuses on authentication, but your question text focuses on session, what more specifically are you tying to achieve? – Joshua Drake May 09 '12 at 20:28
  • Session management. Updated the title to make that clearer. From what I had found online, I thought setting the root domain in the webconfig forms tag was doing that. – Brian May 09 '12 at 20:42
  • You may want to take a look at the answers/comments on [Multiple WebRequest in same session](http://stackoverflow.com/questions/787857/multiple-webrequest-in-same-session) [C# Keep Session Id over httpwebrequest](http://stackoverflow.com/questions/1453560/c-sharp-keep-session-id-over-httpwebrequest). – Joshua Drake May 10 '12 at 13:40

2 Answers2

0

Wasn't able to get this to work so resorted to using an iframe. ugly solution that I'll have to revisit later.

Brian
  • 2,229
  • 17
  • 24
0

I think the problem you're having is because ASP.NET assigns a new Session ID per application. Even if you have the same cookie name and encryption parameters, the internally generated session ID will be different. You might be able to get around this by manually detecting an existing session and updating the session ID. This used to be a common work around for flash-based file uploaders because Flash didn't send the appropriate cookies so the upload handler on the server side couldn't identify the user's existing session.

http://snipplr.com/view/15180/

Using the example code at the above URL, the flash app would post to a URL containing the session ID in the query string, which the BeginRequest handler would detect and update the Request.Cookies collection. I haven't tested this, but you may be able to modify the code a bit to detect the existing cookie from the parent app.

As an alternative, see: Sharing sessions across applications using the ASP.NET Session State Service

kristianp
  • 5,496
  • 37
  • 56
Chris
  • 27,596
  • 25
  • 124
  • 225