Click here to Skip to main content
Click here to Skip to main content

Single sign-on across multiple applications in ASP.NET

, 31 Mar 2004
Rate this:
Please Sign up or sign in to vote.
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.


I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at, you would be recognized also at

Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.

Behind the Forms authentication

Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.

To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from, you can work with cookies for both and

You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "", but can for "" or "".

So, only what you need is to make authentication cookies domain-wide.

Setting it up

You must setup authentication in system.web section of your web.config file as usual, for example:

<authentication mode="Forms">
  <forms name=".EXAMPLE-AUTH" loginUrl="/Login.aspx" 
               protection="All" timeout="30" path="/" />

As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:


The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.

Signing on

You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):

Dim C As System.Web.HttpCookie = _
         System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = ""

Signing off

Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.

You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:

Dim C As System.Web.HttpCookie = _
C.Domain = ""
C.Expires = DateTime.Now.AddDays(-1)


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Michal Altair Valášek
Software Developer Altairis
Czech Republic Czech Republic

Software architect and developer in Altairis, dev shop in Czech republic. Microsoft Most Valuable Professional (MVP) since 2004.

See my open source project at Codeplex.

Comments and Discussions sso Pinmemberwissamtannous2-Oct-13 23:23 
GeneralThanks Pinmemberdebayan nanda23-Apr-11 10:32 
GeneralSSO in ASP.NET to view SAP IView PinmemberNetweb9-Nov-09 3:37 
GeneralCookies Across Domains Pinmembermohit232320-Apr-08 2:26 
GeneralFacing problem with Domain and subdomain PinmemberJavad Mehmood26-Dec-07 9:37 
GeneralRe: Facing problem with Domain and subdomain PinmemberPranjaliBhide13-Aug-08 4:18 
you can do this by setting the domain property of the cookie to your root domain. so if you have and then set cookie.Domain = "" and then both apps will be able to access this cookie.
Questionon different domains? Pinmemberdagarwal827-Nov-06 21:24 
GeneralLogging out not working. PinmemberNigel Liefrink 221-Aug-06 21:39 
GeneralProblem when is not persistant PinmemberLordfkiller15-Mar-06 10:11 
GeneralRe: Problem when is not persistant PinmemberLordfkiller16-Mar-06 2:35 
Questionlocalhost Pinmemberxgnitesh9-Feb-06 6:45 
AnswerRe: localhost Pinmemberdavidhart4-Sep-07 7:57 
QuestionRe: localhost PinmemberOfir-z1-Aug-08 6:37 
AnswerRe: localhost PinmemberOfir-z1-Aug-08 6:44 
GeneralTIcket pass Worked in ASP 1.1 but not in 2.0.. PinmemberPchao25-Dec-05 17:21 
GeneralRe: TIcket pass Worked in ASP 1.1 but not in 2.0.. Pinmembermrbikejoc7-Feb-08 15:52 
GeneralPls highlight the importance of &lt;machineKey&gt; PinsussAnonymous20-Oct-05 10:17 
GeneralCannot logout PinmemberJong-Hyun9-May-05 12:06 
GeneralJOSSO Single Sign-On supports ASP PinsussAnonymous8-Mar-05 3:50 
GeneralRe: JOSSO Single Sign-On supports ASP Pinmemberayurhdfkl1-Aug-07 1:02 
Questioniframe and form authentication? Pinmembernorm18-Feb-05 21:08 
GeneralSingle sign on within sub domain PinsussGurumoorthi Kumar2-Jan-05 19:09 
GeneralRe: Single sign on within sub domain PinmemberDevDude26-Jan-06 12:35 
GeneralA better way PinsussAnonymous23-Dec-04 9:39 
GeneralRe: A better way PinmemberMichal Altair Valasek23-Dec-04 10:54 
GeneralSSO Across Domains PinsussChecking14-Oct-04 10:31 
GeneralRe: SSO Across Domains PinmemberMichal Altair Valasek14-Oct-04 13:39 
GeneralASP Pinmembermatzy24-Sep-04 8:01 
GeneralRe: ASP Pinmembermatzy11-Nov-04 5:47 
GeneralNot working for me PinmemberDave Wengier31-Aug-04 13:57 
GeneralRe: Not working for me PinmemberDave Wengier1-Sep-04 13:29 
GeneralRe: Not working for me Pinmembernorm18-Feb-05 21:10 
QuestionHow to deal with the SSO on different top domains? Pinmemberrazor.sdb.cnic.cn23-Aug-04 19:31 
AnswerRe: How to deal with the SSO on different top domains? PinmemberMichal Altair Valasek27-Aug-04 1:45 
GeneralRe: How to deal with the SSO on different top domains? PinmemberSelArom30-Sep-07 15:11 
AnswerRe: How to deal with the SSO on different top domains? PinmemberMikeSc3-Oct-06 5:59 
GeneralAuthentication problem PinmemberRichardAOC23-Aug-04 7:41 
GeneralRe: Authentication problem PinmemberMichal Altair Valasek23-Aug-04 7:46 
GeneralRe: Authentication problem PinmemberRichardAOC24-Aug-04 7:33 
GeneralRe: Authentication problem Pinmembermcpasd7-Nov-05 0:31 
GeneralRe: Authentication problem PinmemberRichardAOC7-Nov-05 6:15 
GeneralTypeKey authentication in ASP.Net Pinmemberdumky15-Jun-04 8:43 
GeneralRedirect not working Pinsussdougrutledge26-May-04 8:00 
GeneralAlways creates the New Session ID PinmemberAcceptMyName10-May-04 13:13 
GeneralRe: Always creates the New Session ID PinmemberMichal Altair Valasek10-May-04 20:21 
GeneralIt doesn't work to me also Pinmemberjuanchosc10-May-04 2:19 
GeneralRe: It doesn't work to me also PinmemberMichal Altair Valasek10-May-04 9:18 
Generaldoesn't work Pinmembermargiex26-Apr-04 19:57 
GeneralRe: doesn't work PinmemberMichal Altair Valasek10-May-04 9:19 
GeneralWarnings about netscape PinmemberPhallGuy6-Apr-04 13:48 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.150326.1 | Last Updated 1 Apr 2004
Article Copyright 2004 by Michal Altair Valášek
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid