Retain session when calling from a different website

Question

I have two website consider it as website1 and website2.

In website2 there is a login page .When a user click on the login button it will call a HTTPhandler in website1 to authenticate user.On successful authentication user information will be stored in a Session variable from handler.

Then it will redirect to a page page1.aspx in website1.But the previously set session is not available in the page1.aspx .What will be the issue?

I checked the session id in first request(when calling handler in website 1 from webiste 2) and Second request( redirecting to the page1.aspx from the handler) the session id is different.

How can i retain the session data?

I assume you mean a HttpHandler? Are you accessing the session from it like in this question: http://stackoverflow.com/questions/1058568/asp-net-how-to-access-session-from-handler — Peter Monks, Jan 09 '13 at 12:20
We are already using the IRequiresSessionState interface and we are able to store the data in session from HttpHandler — Prasanth V J, Jan 09 '13 at 12:32
If both web sites are on the same computer you could use the ASP.Net cache to store the authentication data. — Kevin, Jan 09 '13 at 12:49
Session by default is not share across machine I believe. Are you sharing the session? (out of process or SQL Server state) — Simon Mourier, Jan 16 '13 at 09:00
We are not sharing the session between machines.If you go through the question you can understand that.Real scenario is like this, from a third party website user need to login to our site.After a successful login thirdparty login page will redirected to our site page. — Prasanth V J, Jan 16 '13 at 09:12
Ok, I understand. The second website is really out of the loop since you're only interested by creating a session in a handler and using this session in an aspx page, both runnning in the same server (I suppose the session is cookie based?). You should not talk about a second website as this is confusing. PS: don't forget to prepend SO user id in your answer comments, otherwise we are not notified. — Simon Mourier, Jan 17 '13 at 11:08
Is there any specific reason for keeping data in Session? You can always keep your authentication values in hidden HTML fields and read your values in other website. or you can also use encrypted query strings to pass values from one website to another, put them in another session variable and clear the query string. I can give examples if you need any. — Ankit, Jan 21 '13 at 15:27

score 3 · Answer 1 · answered Jan 17 '13 at 16:47

You need to store session data in another process shared to both web site. You can do it intwo different ways:

Configure an SQL server
Configure SessionState service, a Windows service used to share informations.

In both cases you have to change both web.config files to support the new session mode. I.e. to use SQL:

Prepare a database (from command prompt):

cd \Windows\Microsoft.NET\Framework\v4.0.30319
aspnet_regsql.exe  -ssadd -E -S localhost\sqlexpress

Modify web config as following:

<sessionState mode="SQLServer"
        sqlConnectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;Initial Catalog=Test" allowCustomSqlDatabase="true"/>

You don't need to change your code.

score 2 · Answer 2 · answered Jan 18 '13 at 12:45

2

Correct me if I an wrong, AFAIK different domains cannot share a single session. One way to handle this is to carry the data to the other site through cookie [encrypt the values for security], then copy this cookie value to the session in the other site receiving it and destroy the cookie.

And if the sites are in different servers you need to handle the "sticky session" so that servers share the session.

answered Jan 18 '13 at 12:45

A J

2,112
15
24

1

I think this is not a good idea because it would allow for Session Hijacking. – Jonathan DS Jan 21 '13 at 17:23
I guess @jonathan is right, I was more like trying to figure out a possibility. And again I was not sure about the same too. – A J Jan 22 '13 at 06:35

score 1 · Answer 3 · answered Jan 09 '13 at 12:43

This situation sounds kind of similar to one I have experienced and worked on before, where one web application acts as the login page while another is the actual app where all your work is done. I can describe what I did in the hope that you find it useful.

Like you I had one web app which had the login page (so in your example this would be website2). When the login form submitted I then redirect to a fake Login.aspx page in website1 - this is where we differ I think as I'm not sure of your specific reason for using a HttpHandler.

In my case the website2 Login.aspx page is actually just the way into the web application; it has no markup, just code-behind which will authenticate the user, perform setup (e.g. set session variables) and then redirect to another page such as Homepage.aspx. This particular scenario has worked for me, so maybe your problem revolves around the use of a HttpHandler though I would not be able to tell you why.

I have tried it with .aspx page but it is not working! Any ideas? — Prasanth V J, Jan 10 '13 at 12:20

score 1 · Answer 4 · answered Jan 16 '13 at 10:16

In order to retain the same session date across two different servers running ASP.NET web applications you must configure your session state to be managed out of process. This means the actual session state data variables will be stored outside of worker process and in another process that is able to make the session data available to other machines.

To achieve this you can configure your application to use SQL Server to store session state and make it available to multiple servers in your farm. The TechNet article Configure a SQL Server to Maintain Session State (IIS 7) provides details on hor this is done in IIS 7.

If you are using IIS 6 then the steps to configure are somewhat different and I can provide further details on this if needed.

In order for this to work you do need to ensure that both servers are running applications within the same domain, e.g. myapp.com, otherwise the ASP.Net session cookie will not be passed between the two servers. ASP.Net uses the cookie to lookup the session state stored in SQL Server and will therefore not find any matching session if the cookie is not passed on requests between the two servers.

score 1 · Answer 5 · answered Jan 17 '13 at 06:58

i think IRequiresSessionState will not help because context is different. once we had the same problem but that was passing asp session varibles to .net. How ever you can do it here also. on both website create a page setsession.aspx now if you are on page say web1/page5.aspx and want to go to web2/page3.aspx you redirect to web1/setsession.aspx?togo1=web2/page3.aspx in both setsession.aspx logic in to extract sessiondata and place them in querystring

so the web1/setsession will redirect to web2/setsession.aspx?sess1=value1&sess2=value2&togo=page3.aspx

web2/setsession.aspx will check for togo querystring and if found will extract all querystring name and value will set them in session and will then redirect to togo value.

you need to differentiate togo1 and togo carefully.

score 1 · Answer 6 · answered Jan 19 '13 at 13:21

Session sharing between websites is going to require hand-coding. You could hack the asp.net framework to get this working, but I feel that this is not a clean way of achieving what you set out.

If user authentication is all you are doing from website, is it possible to use alternative? Single Sign On mechanisms will help you out here.

Something like SAMLSSO could help you in this case.

score 1 · Answer 7 · answered Jan 22 '13 at 04:07

You have two websites which are hosted on different servers, it means you have two different processes running on separate machines, so sessions will be definitely different. Same session can't be shared across processes because by default asp.net support in-memory session.

Here you would need to think about storing sessions information which can be shared between two processes (i.e. out of process). Ideal way to store sessions information in databases. For this you can consider Stefano Altieri code sample above.

score 0 · Answer 8 · answered Jan 22 '13 at 11:52

I don't think you really want to share session information between two websites at all. From what I can gather from comments, what you're really trying to do is have a user authenticate in one website (give you a username and password which are validated) and then have that "logged in" state transferred to another website which doesn't handle authentication for itself.

What you are describing is the Delegated Authentication model.

In this model, your application hands-off authentication to other systems which it trusts to provide information about users.

There are two well-known protocols which provide this mechanism:

OpenID
This is intended to facilitate users logging in with their own identity providers (Google, Facebook, Microsoft Account). It's a very good choice if you're running a public-facing website, as most users will already have an account they can log in with.

WS-Federation
This is intended to facilitate users logging in with identity providers which are managed by known trusted parties, such as partner organisations.

From version 4.5, the .NET Framework has built-in support for WS-Federation via the Windows Identity Foundation component (and is also available for earlier versions as a separate download). This automates the task of delegating your authentication to an Identity Provider.

It also provides components for you to write your own Identity Provider, should you want to create your own, but you shouldn't have to; you can find various existing implementations to perform this job for you.

The problem you're trying to solve is a very difficult one, especially trying to make it secure enough to be reliable. The good news is that smarter people than you or I have spent years working out very clever ways of doing this. You should use what they have done and not try to cobble together something out of Session state.

In the long-run it's best to let the smarter men do the hard work for you.

Retain session when calling from a different website

8 Answers8