CodeProject: Single sign-on across multiple applications in ASP.NET. Free source code and programming help

I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at www.example.com, you would be recognized also at everything.example.com.

Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.

Behind the Forms authentication

Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.

To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from server1.example.com, you can work with cookies for both server1.example.com and example.com.

You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.uk", but can for "example.com" or "example.co.uk".

So, only what you need is to make authentication cookies domain-wide.

Setting it up

You must setup authentication in system.web section of your web.config file as usual, for example:

<authentication mode="Forms">
  <forms name=".EXAMPLE-AUTH" loginUrl="/Login.aspx" 
               protection="All" timeout="30" path="/" />
</authentication>

As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:

<machineKey
  validationKey="BD52058A3DEA473EA99F29418689528A494DF2B00054BB7C" 
  decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885" 
/>

The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.

Signing on

You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):

Dim C As System.Web.HttpCookie = _
         System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = "example.com"
Response.AppendCookie(C)
Response.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName, 
                                                                           False))

Signing off

Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.

You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:

Dim C As System.Web.HttpCookie = _
         Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(C)

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Michal Altair Valasek

Member

Software developer, system administrator, web designer, journalist, fantasy writer, film editor and executive producer - some of occupations I held in 27 years of my age.

Awarded as Microsoft Most Valuable Professional (MVP) for ASP.NET technology.
Editor and publisher of ASPNET.CZ (formerly known as ASP Network), oldest Czech web server dedicated to Microsoft technology for the Internet.
Project coordinator of BDSM.CZ (http://www.bdsm.cz, first and biggest Czech non-commercial server about sadomasochism.

See my weblog (in Czech language) at http://weblog.rider.cz

Occupation:	Web Developer
Location:	Czech Republic

Other popular Web Security articles:

Role-based Security with Forms Authentication
Provides insight and tips on using role-based (groups) Forms Authentication in ASP.NET, which has only partial support for roles.
Switching Between HTTP and HTTPS Automatically: Version 2
An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs
Forms authentication and Role based authorization: a quicker, simpler, and correct approach
This article describes a correct and smarter way of implementing Role based authorization with Forms authentication in ASP.NET.
Securing ASP.NET Applications
This article takes a look at two recent attacks on web applications and how they were perpetrated. Then it dives head first into a litany of different potential security holes and more importantly, how to plug them in ASP.Net.
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
Discussing how to encode and tamper-proof text and cookies using the MachineKey, by using reflection.

Article Top

You must Sign In to use this message board.

FAQ
Noise Tolerance Layout Per page

Msgs 1 to 25 of 53 (Total in Forum: 53) (Refresh)

FirstPrevNext

Cookies Across Domains

mohit2323

2:26 20 Apr '08

Can we pass cookies across domains? Thanks Mohit Bansal
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Facing problem with Domain and subdomain

Javad Mehmood

9:37 26 Dec '07

Hi,

Really good article. Currently I am facing a problem in my project. I have login application (login.myapplication.com) deployed on one machine and accounts application (accounts.myapplication.com) on other machine. When user first hits the accounts application he is redirected to login application. After login user is redirected to accounts application. But the ticket generated on login application (login.myapplication.com) is not valid for accounts application. User.IsAuthenticated is always false. If I install both applications on same machine, it works fine. I have applied all the tricks on web.config but could not solve the problem. Please provide some solution.

Regards,

Javad Mehmood

1.50/5 (2 votes)

Re: Facing problem with Domain and subdomain

PranjaliBhide

4:18 13 Aug '08

you can do this by setting the domain property of the cookie to your root domain. so if you have a.root.com and b.root.com then set cookie.Domain = "root.com" and then both apps will be able to access this cookie.
Sign In·View Thread·PermaLink	3.00/5 (1 vote)

on different domains?

dagarwal82

21:24 7 Nov '06

Wat about if i have first.firstdomain.com and second.seconddomain.com , nd now i try to go on secon.secondomain.com ,it redirect me to firstdomani.com/login.aspx and then redirect to second.seconddomain.com... IS IT POSSIBLE.. PLEASE guide me i have
Sign In·View Thread·PermaLink	1.67/5 (6 votes)

Logging out not working.

Nigel Liefrink 2

21:39 21 Aug '06

Hi, Tried your code for logging out, but it wasn't working. I managed to get it working by not using the expiry date but setting the value of the cookie like this: Dim C As System.Web.HttpCookie = _ Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName) C.Domain = "example.com" C.Value = "" Response.Cookies.Add(C) Nigel Liefrink.
Sign In·View Thread·PermaLink

Problem when is not persistant

Lordfkiller

10:11 15 Mar '06

Hi. I have two apps, Authorizer app and another. First one at www.example.com/Accounts and the other one at app.example.com. When auth cookie is persistant, it works well and the other app can use the ticket, but when I it isn't persistant, the other app can't use the cookie.

Response.AppendCookie(FormsAuthentication.GetAuthCookie("username", true)); // Working
Response.AppendCookie(FormsAuthentication.GetAuthCookie("username", false)); // Not Working

ASP.NET Ver: 2

Thanks

Re: Problem when is not persistant

Lordfkiller

2:35 16 Mar '06

The problem was resolved. I was signing in in a window and opening the other site in another browser window. Just this!
Sign In·View Thread·PermaLink

localhost

xgnitesh

6:45 9 Feb '06

Hi,
I am trying to develop a single signon solution on my win 2000 professional system with many applications like this:
http://localhost/Gateway
http://localhost/TestApp1
http://localhost/TestApp2

Here the Gateway application is the one that is used for single signon and displays links to all other applications if the signon is successful.

I dont have a domain yet but would like to port these application to a domain like this in future.

http://something.com/Gateway
http://something.com/TestApp1
http://something.com/TestApp2

To make the single signon solution work on my single development machine, I tried to put localhost as my hostheader name in IIS and then set c.Domain to localhost. I tries using a dummy domain like something.com also but it does not work.

Can you please suggest a solution to my problem.

I really appreciate for any guidance on this.

Thanks & regards,
Nitesh Gupta

Nitesh Gupta

2.00/5 (1 vote)

Re: localhost

davidhart

7:57 4 Sep '07

Nitesh, Did you figure this out? I am having the same problem. Please let me know. Thanks, David
Sign In·View Thread·PermaLink

Re: localhost

Ofir-z

6:37 1 Aug '08

same issue.... anyone found a solution for this?
Sign In·View Thread·PermaLink

Re: localhost

Ofir-z

6:44 1 Aug '08

I got it.... I had to use FormsAuthentication.RedirectFromLoginPage(name, true); and not Response.Redirect(FormsAuthentication.GetRedirectUrl(name,true)); hope it helps.
Sign In·View Thread·PermaLink

TIcket pass Worked in ASP 1.1 but not in 2.0..

Pchao

17:21 25 Dec '05

Hi I used this sample and it worked from passing ticket from asp.net 1.1 web application to another asp.net 1.1 web site. but when I tried to do the same thing from passing ticket from asp.net 2.0 to another asp.net 1.1 web application. It didn't work. Any solution ?
Sign In·View Thread·PermaLink

Re: TIcket pass Worked in ASP 1.1 but not in 2.0..

mrbikejoc

15:52 7 Feb '08

try: <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES"> </machineKey> I think 2.0 wants 3DES
Sign In·View Thread·PermaLink

Pls highlight the importance of <machineKey>

Anonymous

10:17 20 Oct '05

Your article is excellent, it finally works for me after several hours try and test. Can you highlight your article about the and "IsolateApps"? I spent several hours to try to figure out why it didn't work until I read your article's first comment from MicrosoftBob. If you can hightlight the importance of in your article, I believe it will save many developers a lot of hours. Your articles already save many developers many days. Smile

3.50/5 (3 votes)

Cannot logout

Jong-Hyun

12:06 9 May '05

Hello, Everything works fine except one problem. You might be able to reproduce this with the following steps. a. login b. do nothing for 30 minutes. c. try to logout. d. You are not able to logout. Do you have any idea why this is happening? Thank you.
Sign In·View Thread·PermaLink

JOSSO Single Sign-On supports ASP

Anonymous

3:50 8 Mar '05

JOSSO is an Open Source cross-platform Single Sign-On which supports ASP, Java and PHP application integration. Check it out here : http://www.josso.org
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Re: JOSSO Single Sign-On supports ASP

ayurhdfkl

1:02 1 Aug '07

Its true that JOSSO will support ASP. But will it support ASP.NET, if so please reply with a Sample application
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

iframe and form authentication?

norm

21:08 18 Feb '05

I have an aspx page that contains an iframe which points back to another page from same domain (same server in fact) but resides in a different virtual directory/application. What would you recommend in this case? Norman Fung
Sign In·View Thread·PermaLink

Single sign on within sub domain

Gurumoorthi Kumar

19:09 2 Jan '05

Hi , I have two asp.net web application each running running on two subdomains example. a.MyDomain.com and b.MyDomain.com. Is single sign-on possible to connect these two web applicatons. How the cookie would be shared for both applicatoins. kindly clarify this. Regards Guru
Sign In·View Thread·PermaLink

Re: Single sign on within sub domain

DevDude

12:35 26 Jan '06

you can do this easily by setting the domain property of the cookie to your root domain. so if you have a.root.com and b.root.com then set cookie.Domain = "root.com" and then both apps will be able to access this cookie. Just remember when deleting the cookie you need to also set the Domain property or the cookie will not get deleted. Took me for a curve ball a few times !
Sign In·View Thread·PermaLink	2.17/5 (3 votes)

A better way

Anonymous

9:39 23 Dec '04

There is a much simpler way to implement SSO with Forms Auth. using only configuration.   If you have multiple Virtual Directories that must all be protected by Forms Auth. they can all use the same login page.   For example, in one virtual directory you may have this in your web.config:

<authentication mode="Forms">
      <forms name=".LOGINFORM" loginUrl="http://localhost/login.aspx" protection="All" timeout="60"/>
</authentication>

If you place the exact same configuration in all of your web.config files Forms Auth. will use the same authentication cookie no matter what virtual directory you may be using.   So, if you request http://localhost/virtual1/ and login the cookie will carry over to requests for http://localhost/virtual2/ even thought it is part of a different application.

1.43/5 (3 votes)

Re: A better way

Michal Altair Valasek

10:54 23 Dec '04

Please note, that we are not talking only about separate directories, but about different hosts. Michal Altair Valasek - http://www.rider.cz Doing my best for keeping freedom safe from democracy.
Sign In·View Thread·PermaLink

SSO Across Domains

Checking

10:31 14 Oct '04

Does anyone know of a way to do SSO across different top level domains? For example, a user authenticates on abc.com, gets set up with SSL, is then redirected to abc.net, but does not have to reauthenticate for an SSL session? I know cookies don't get passed between domains for security purposes but am wondering if there is an exception or some other way to do this?
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Re: SSO Across Domains

Michal Altair Valasek

13:39 14 Oct '04

You must use something other than cookies. For example pass the authentication ticket in URL. Michal Altair Valasek - http://www.rider.cz Doing my best for keeping freedom safe from democracy.
Sign In·View Thread·PermaLink	1.50/5 (2 votes)

ASP

matzy

8:01 24 Sep '04

Anyone know if it is possible to duplicate the encrypted cookie in ASP to allow SSO to ASP.NET apps? I can do DES/3DES encryption with COM components, but the question is what do I put in the cookie value? I know it's probably a serialized form of the auth ticket, but I'm having trouble extracting the cookie and decrypting it manually. I'm attempting the following:


string strDecKey = "684FC9301F404DE1B9565E7D952005579E823307BED44885";
string strEnc = Request.Cookies["FormsAuthCookie"].Value;

int discarded = 0;
byte[] decKey = Utility.HexEncoding.GetBytes(strDecKey, out discarded);
byte[] inBytes = Convert.FromBase64String(strEnc);
using(TripleDESCryptoServiceProvider des = new TripleDESCryptoServiceProvider())
using(MemoryStream ms = new MemoryStream(inBytes.Length))
using(CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(decKey, null), CryptoStreamMode.Read))
{
	ms.Write(inBytes, 0, inBytes.Length);
	ms.Position = 0;  
	this.lblDecrypted.Text = new StreamReader(cs).ReadToEnd();
	cs.Close();
}

Here's the HexEncoding class I'm using to convert the decryption key to a byte array. The problem I think is that I'm passing null for the IV param to CreateDecryptor(). I have no idea what to pass there.

Once I have this, I'll hopefully figure out how to setup that cookie from a VBScript page.

Last Visit: 14:49 6 Jul '09 Last Update: 14:49 6 Jul '09

12 3 Next »

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 31 Mar 2004
Editor: Smitha Vijayan