1

I have two ASP.NET sites (they can not run in the same process) and I need to share authentication between them. If a user is in site A already authenticated and then goes to site B, I need to have a way to share this information with site B so the user is not asked to authenticate again. The same is true both ways. How do you share this information?

user31673
  • 13,245
  • 12
  • 58
  • 96
  • Duplicate of http://stackoverflow.com/questions/72125/how-do-you-pass-an-authenticaticated-session-between-app-domains – Kevin May 28 '09 at 23:24

4 Answers4

4

Are they in the same domain?

If you have app1.blah.com and app2.blah.com, it's very easy to do. Just set the domain and the name to the same value in the forms-section in web.config:

<authentication mode="Forms">
      <forms loginUrl="login.aspx"
        name=".COOKIENAME" 
        protection="All"  
        path="/" 
        domain="blah.com" 
        timeout="30" />
    </authentication>

An added benefit is that users can sign into either site and will still be authenticated if they go to the other one.

Stefan
  • 1,719
  • 2
  • 15
  • 27
  • Would this work if the two sites are running on different servers? Does the authentication use cookies on the client? If so, then I assume that it looks to see if the domains match and allows for the sharing of authentication? Would this work even if they were not on the same domain but you set the "domain=" to be the same? – user31673 May 29 '09 at 00:31
  • It does work if they are on different servers. Yes, it does use cookies. I'm pretty sure it won't work if you just set the domain to the same even though they aren't. – Stefan May 29 '09 at 00:34
  • 1
    Hmm... I tried adding this to my MVC application and it seems to break login entirely. Is there something else that needs to be tweaked along with that config stuff? – CodeRedick Aug 17 '11 at 16:05
2

If you are using Forms Authentication you can do this by setting the Machine Key.

See: Forms Authentication Across Applications

skalb
  • 5,357
  • 3
  • 26
  • 23
2

Select one site to be the "master" which handles all the logins. We will call that one site A, and the non-login site B.

When a user uses the login form on A, it should set a cookie with some unique identifier, such as a GUID. As long as that cookie is valid, the user should stay logged in.

When a user goes to site B, site B should set a cookie with its own unique identifier (another GUID), then redirect to the login on site A, passing along the unique ID in the querystring: Response.Redirect("http://siteA.com/login.aspx?id=ABCDEF")

When the user logs in on the form on A, we should update site B's database - maybe via web service - with the user ID and the unique ID which was passed along - essentially letting site B know "when a user with ABCDEF in their cookie hits your site, it is actually User387".

Then redirect back to site B. The cookie from earlier is still set, but site B now reads that cookie and finds a corresponding user ID, so it knows who the user is and allows access.

When the user arrives on site A, if they have already logged in previously to site A, it will recognize their cookie, follow the same steps as above, and redirect immediately.

This is a very simple version of what every single-sign-on service does. A user will only be sent to A's login page once, no matter where they start from (site A or site B).

Rex M
  • 142,167
  • 33
  • 283
  • 313
  • Not using the same domain. When the user is in Site A and already authenticated, then moves to Site B, how does Site B know they are already authenticated? I don't want the login to come up twice. – user31673 May 29 '09 at 00:26
  • @Unknown when they move to site B, they have no cookie for site B, so site B will create a cookie and redirect to the login for site A as described above; site A will already have a cookie as well and be able to recognize the user, thus skipping the manual login process and heading straight to sending the UserID and uniqueID back to B, and then redirecting back to B. – Rex M May 29 '09 at 00:51
  • @Unknown the only requirement is that when the login page loads, it checks to see if the user is already logged in and skips to the processing part instead of displaying a login form. – Rex M May 29 '09 at 00:52
  • That you for the clarification. I do have one question though, how do you expire the cookie so that when they leave the site they need to relogin the next time? I don't want the cookie left and bypass the login at a later time. – user31673 Jun 02 '09 at 21:36
  • @unknown you could set up your cookies to expire in 20 minutes or so, but every time the user hits your site, extend it for another 20 minutes. You could put a hidden, dynamic image from site A somewhere on every page of site B, and have the image update the cookie on every request. So every hit to B updates both A's cookie and B's cookie (assuming the user has cross-domain cookies enabled; most do) – Rex M Jun 03 '09 at 01:10
0

Check out the Windows Communication Authentication Service. Won't quite handle single sign-on like you want, but it should at least let people login across the board with the same credentials.

Wyatt Barnett
  • 15,573
  • 3
  • 34
  • 53
  • This idea won't work in this scenario because I need to use the login process already in place in site A. If the user directly logs into site B, then a web service is run against site A to authenticate. The real issue is when they are already authenticated and change sites. – user31673 May 28 '09 at 23:30