65.9K
CodeProject is changing. Read more.
Home

Sharing Authentication Cookie between two ASP.NET Applications

Milan Mathew
starIconstarIconstarIconstarIcon
emptyStarIcon
starIcon

4.75/5 (4 votes)

Aug 10, 2012

CPOL
viewsIcon

61419

Sharing authentication information between applications.

Introduction

The objective is to explain how to share the same Authentication cookie information between two ASP.NET applications.

The Approach

Assume that there are two applications and wants to share the cookie between these applications below are the settings required to share authentication ticket(cookie) across applications.

Step I

Need to set the enableCrossAppRedirects, domain, and requireSSL in both the application config files, under forms section.

First, the application config file.

<authentication mode="Forms">
  <forms name="FormsAuthentication" path="/" loginUrl="Login.aspx"
     defaultUrl="Home.aspx" timeout="1000" cookieless="UseCookies"  
     enableCrossAppRedirects ="true" domain="10.12.88.81" 
     requireSSL="false"/>
</authentication>

A machine key is required to decrypt the ticket:

<!-- MACHINE KEY REQUIRED IN BOTH CONFIG FILES -->
<machineKey
     decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
     validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />

The second application config file should be,

<authentication mode="Forms">
  <forms name="FormsAuthentication" path="/" loginUrl="login.aspx"
    defaultUrl="PropertyList.aspx" timeout="1000"
    cookieless="UseCookies" enableCrossAppRedirects="true"
    domain="10.12.88.81" requireSSL="false"/>
</authentication>

And the Machine Key should be:

<machineKey
    decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
    validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />

Make sure that you are using the same machine keys in both the applications. 

Step II

The first application needs to use the following code while redirecting to the second application.

public static string FormatRedirectUrl(string redirectUrl)
{
    HttpContext c = HttpContext.Current;
    //Don’t append the forms auth ticket for unauthenticated users 
       or
    //for users authenticated with a different mechanism
    if (!c.User.Identity.IsAuthenticated ||
        !(c.User.Identity.AuthenticationType == "Forms"))
        return redirectUrl;
    //Determine if we need to append to an existing query-string or
      not
    string qsSpacer;

    if (redirectUrl.IndexOf('?') > 0)
        qsSpacer = "&";
    else
        qsSpacer = "?";
    //Build the new redirect URL. Assuming that currently using
    //forms authentication. Change the below FormsIdentity if required.
    string newRedirectUrl;
    string newRedirectUrl;
    FormsIdentity fi = (FormsIdentity)c.User.Identity;
    newRedirectUrl = redirectUrl + qsSpacer +
    FormsAuthentication.FormsCookieName + "=" +
    FormsAuthentication.Encrypt(fi.Ticket);
    return newRedirectUrl;
}

The redirectUrl in the above code should be /<WebPages>/SecondAppPage.aspx, then only can it hold  the cookies along with the Redirect call.