Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (55)

Single sign-on across multiple applications in ASP.NET

By , 31 Mar 2004
 

Introduction

I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at www.example.com, you would be recognized also at everything.example.com.

Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.

Behind the Forms authentication

Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.

To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from server1.example.com, you can work with cookies for both server1.example.com and example.com.

You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.uk", but can for "example.com" or "example.co.uk".

So, only what you need is to make authentication cookies domain-wide.

Setting it up

You must setup authentication in system.web section of your web.config file as usual, for example:

<authentication mode="Forms">
  <forms name=".EXAMPLE-AUTH" loginUrl="/Login.aspx" 
               protection="All" timeout="30" path="/" />
</authentication>

As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:

<machineKey
  validationKey="BD52058A3DEA473EA99F29418689528A494DF2B00054BB7C" 
  decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885" 
/>

The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.

Signing on

You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):

Dim C As System.Web.HttpCookie = _
         System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = "example.com"
Response.AppendCookie(C)
Response.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName, 
                                                                           False))

Signing off

Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.

You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:

Dim C As System.Web.HttpCookie = _
         Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(C)

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

 Michal Altair Valášek
Software Developer Altairis
Czech Republic Czech Republic
Member

Software architect and developer in Altairis, dev shop in Czech republic. Microsoft Most Valuable Professional (MVP) since 2004.

See my open source project at Codeplex.


Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First PrevNext
GeneralThanksmemberdebayan nanda23 Apr '11 - 9:32 
GeneralSSO in ASP.NET to view SAP IViewmemberNetweb9 Nov '09 - 2:37 
GeneralCookies Across Domainsmembermohit232320 Apr '08 - 1:26 
GeneralFacing problem with Domain and subdomainmemberJavad Mehmood26 Dec '07 - 8:37 
GeneralRe: Facing problem with Domain and subdomainmemberPranjaliBhide13 Aug '08 - 3:18 
Questionon different domains?memberdagarwal827 Nov '06 - 20:24 
GeneralLogging out not working.memberNigel Liefrink 221 Aug '06 - 20:39 
GeneralProblem when is not persistantmemberLordfkiller15 Mar '06 - 9:11 
GeneralRe: Problem when is not persistantmemberLordfkiller16 Mar '06 - 1:35 
Questionlocalhostmemberxgnitesh9 Feb '06 - 5:45 
AnswerRe: localhostmemberdavidhart4 Sep '07 - 6:57 
QuestionRe: localhostmemberOfir-z1 Aug '08 - 5:37 
AnswerRe: localhostmemberOfir-z1 Aug '08 - 5:44 
GeneralTIcket pass Worked in ASP 1.1 but not in 2.0..memberPchao25 Dec '05 - 16:21 
GeneralRe: TIcket pass Worked in ASP 1.1 but not in 2.0..membermrbikejoc7 Feb '08 - 14:52 
GeneralPls highlight the importance of &lt;machineKey&gt;sussAnonymous20 Oct '05 - 9:17 
GeneralCannot logoutmemberJong-Hyun9 May '05 - 11:06 
GeneralJOSSO Single Sign-On supports ASPsussAnonymous8 Mar '05 - 2:50 
GeneralRe: JOSSO Single Sign-On supports ASPmemberayurhdfkl1 Aug '07 - 0:02 
Questioniframe and form authentication?membernorm18 Feb '05 - 20:08 
GeneralSingle sign on within sub domainsussGurumoorthi Kumar2 Jan '05 - 18:09 
GeneralRe: Single sign on within sub domainmemberDevDude26 Jan '06 - 11:35 
GeneralA better waysussAnonymous23 Dec '04 - 8:39 
GeneralRe: A better waymemberMichal Altair Valasek23 Dec '04 - 9:54 
GeneralSSO Across DomainssussChecking14 Oct '04 - 9:31 
GeneralRe: SSO Across DomainsmemberMichal Altair Valasek14 Oct '04 - 12:39 
GeneralASPmembermatzy24 Sep '04 - 7:01 
GeneralRe: ASPmembermatzy11 Nov '04 - 4:47 
GeneralNot working for mememberDave Wengier31 Aug '04 - 12:57 
GeneralRe: Not working for mememberDave Wengier1 Sep '04 - 12:29 
GeneralRe: Not working for memembernorm18 Feb '05 - 20:10 
QuestionHow to deal with the SSO on different top domains?memberrazor.sdb.cnic.cn23 Aug '04 - 18:31 
AnswerRe: How to deal with the SSO on different top domains?memberMichal Altair Valasek27 Aug '04 - 0:45 
GeneralRe: How to deal with the SSO on different top domains?memberSelArom30 Sep '07 - 14:11 
AnswerRe: How to deal with the SSO on different top domains?memberMikeSc3 Oct '06 - 4:59 
GeneralAuthentication problemmemberRichardAOC23 Aug '04 - 6:41 
GeneralRe: Authentication problemmemberMichal Altair Valasek23 Aug '04 - 6:46 
GeneralRe: Authentication problemmemberRichardAOC24 Aug '04 - 6:33 
GeneralRe: Authentication problemmembermcpasd6 Nov '05 - 23:31 
GeneralRe: Authentication problemmemberRichardAOC7 Nov '05 - 5:15 
GeneralTypeKey authentication in ASP.Netmemberdumky15 Jun '04 - 7:43 
GeneralRedirect not workingsussdougrutledge26 May '04 - 7:00 
GeneralAlways creates the New Session IDmemberAcceptMyName10 May '04 - 12:13 
GeneralRe: Always creates the New Session IDmemberMichal Altair Valasek10 May '04 - 19:21 
GeneralIt doesn't work to me alsomemberjuanchosc10 May '04 - 1:19 
GeneralRe: It doesn't work to me alsomemberMichal Altair Valasek10 May '04 - 8:18 
Generaldoesn't workmembermargiex26 Apr '04 - 18:57 
GeneralRe: doesn't workmemberMichal Altair Valasek10 May '04 - 8:19 
GeneralWarnings about netscapememberPhallGuy6 Apr '04 - 12:48 
GeneralRe: Warnings about netscapememberRocky Moore7 Apr '04 - 3:44 
Last Visit: 31 Dec '99 - 18:00     Last Update: 21 May '13 - 5:09Refresh12 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.
Type Article
Licence 
First Posted 31 Mar 2004
Views 308,080
Bookmarked 145 times

, +
Top News

The Next Version of Android - Some of What's Coming

Get the Insider News free each morning.
Related Videos
Windows 8: Sharing App Bar Between Pages in XAML
MVC 3: Authorization Action Filters Part 2
Single Sign On (SSO) for cross-domain ASP.NET applications: Part-I - The design blue print
Single Sign On (SSO) for cross-domain ASP.NET applications: Part-II - The implementation
ASP.NET authentication and authorization
Single Sign-On (SSO) for .NET
Server side Delimiters in ASP.NET
Single Sign-on in ASP.NET and Other Platforms
Share your user control across multiple web applications
A Walkthrough to Application State
Getting Started with the BlackBerry Java Development Tools
Invoking a Web Service Without Web Reference
Debug your ASP.NET Application while Hosted on IIS
ASP.NET Ver 1.1 Web Application and Windows Authentication – A Case Study
Transaction Management Across Application Domains
StateManagement Suggestions : A Beginner's View
Globalization and localization demystified in ASP.NET 2.0
Introduction to Object-Oriented Tiered Application Design
Monte Carlo Simulation Using Parallel Asynchronous Web Services with .NET 2.0
Cross Domain/Platform Authentication and Data Transfer
Secure Web Services via Message oriented Middleware
Single Sign on (SSO) Using Cookie in asp.net
Permalink | Advertise | Privacy | Mobile
Web01 | 2.6.130516.1 | Last Updated 1 Apr 2004
Article Copyright 2004 by Michal Altair Valášek
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid