Sharing Authentication Cookie between two ASP.NET Applications

Introduction

The objective is to explain how to share the same Authentication cookie information between two ASP.NET applications.

The Approach

Assume that there are two applications and wants to share the cookie between these applications below are the settings required to share authentication ticket(cookie) across applications.

Step I

Need to set the enableCrossAppRedirects, domain, and requireSSL in both the application config files, under forms section.

First, the application config file.

<authentication mode="Forms">
  <forms name="FormsAuthentication" path="/" loginUrl="Login.aspx"
     defaultUrl="Home.aspx" timeout="1000" cookieless="UseCookies"  
     enableCrossAppRedirects ="true" domain="10.12.88.81" 
     requireSSL="false"/>
</authentication>

A machine key is required to decrypt the ticket:

<!-- MACHINE KEY REQUIRED IN BOTH CONFIG FILES -->
<machineKey
     decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
     validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />

The second application config file should be,

<authentication mode="Forms">
  <forms name="FormsAuthentication" path="/" loginUrl="login.aspx"
    defaultUrl="PropertyList.aspx" timeout="1000"
    cookieless="UseCookies" enableCrossAppRedirects="true"
    domain="10.12.88.81" requireSSL="false"/>
</authentication>

And the Machine Key should be:

<machineKey
    decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
    validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />

Make sure that you are using the same machine keys in both the applications.

Step II

The first application needs to use the following code while redirecting to the second application.

public static string FormatRedirectUrl(string redirectUrl)
{
    HttpContext c = HttpContext.Current;
    //Don’t append the forms auth ticket for unauthenticated users 
       or
    //for users authenticated with a different mechanism
    if (!c.User.Identity.IsAuthenticated ||
        !(c.User.Identity.AuthenticationType == "Forms"))
        return redirectUrl;
    //Determine if we need to append to an existing query-string or
      not
    string qsSpacer;

    if (redirectUrl.IndexOf('?') > 0)
        qsSpacer = "&";
    else
        qsSpacer = "?";
    //Build the new redirect URL. Assuming that currently using
    //forms authentication. Change the below FormsIdentity if required.
    string newRedirectUrl;
    string newRedirectUrl;
    FormsIdentity fi = (FormsIdentity)c.User.Identity;
    newRedirectUrl = redirectUrl + qsSpacer +
    FormsAuthentication.FormsCookieName + "=" +
    FormsAuthentication.Encrypt(fi.Ticket);
    return newRedirectUrl;
}

The redirectUrl in the above code should be /<WebPages>/SecondAppPage.aspx, then only can it hold the cookies along with the Redirect call.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Milan Mathew

Architect

United States

Member

Google

A coder from india. Specialized in Microsoft Technologies (ASP.NET, C#, WPF, MVVM, WCF, Biztalk)

Additional experience in Optical Character recognition (Acorde (Kofax) & Oracle IPM 7.7)

Article Top

Poor

Excellent

Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Sharing authentication information between applications.

Type	Tip/Trick
Licence	CPOL
First Posted	10 Aug 2012
Views	6,579
Bookmarked	13 times

C#ASP.NET