I have two ASP.NET sites (they can not run in the same process) and I need to share authentication between them. If a user is in site A already authenticated and then goes to site B, I need to have a way to share this information with site B so the user is not asked to authenticate again. The same is true both ways. How do you share this information?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Are they in the same domain?
If you have app1.blah.com and app2.blah.com, it’s very easy to do. Just set the domain and the name to the same value in the forms-section in web.config:
<authentication mode="Forms">
<forms loginUrl="login.aspx"
name=".COOKIENAME"
protection="All"
path="/"
domain="blah.com"
timeout="30" />
</authentication>
An added benefit is that users can sign into either site and will still be authenticated if they go to the other one.
Method 2
Select one site to be the “master” which handles all the logins. We will call that one site A, and the non-login site B.
When a user uses the login form on A, it should set a cookie with some unique identifier, such as a GUID. As long as that cookie is valid, the user should stay logged in.
When a user goes to site B, site B should set a cookie with its own unique identifier (another GUID), then redirect to the login on site A, passing along the unique ID in the querystring: Response.Redirect("http://siteA.com/login.aspx?id=ABCDEF")
When the user logs in on the form on A, we should update site B’s database – maybe via web service – with the user ID and the unique ID which was passed along – essentially letting site B know “when a user with ABCDEF in their cookie hits your site, it is actually User387”.
Then redirect back to site B. The cookie from earlier is still set, but site B now reads that cookie and finds a corresponding user ID, so it knows who the user is and allows access.
When the user arrives on site A, if they have already logged in previously to site A, it will recognize their cookie, follow the same steps as above, and redirect immediately.
This is a very simple version of what every single-sign-on service does. A user will only be sent to A’s login page once, no matter where they start from (site A or site B).
Method 3
If you are using Forms Authentication you can do this by setting the Machine Key.
See: Forms Authentication Across Applications
Method 4
Check out the Windows Communication Authentication Service. Won’t quite handle single sign-on like you want, but it should at least let people login across the board with the same credentials.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0