Click here to Skip to main content
15,867,453 members
Articles / Web Development / ASP.NET
Article

Single sign-on across multiple applications in ASP.NET

Rate me:
Please Sign up or sign in to vote.
4.60/5 (35 votes)
31 Mar 20042 min read 449.6K   149   56
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.

Introduction

I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at www.example.com, you would be recognized also at everything.example.com.

Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.

Behind the Forms authentication

Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.

To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from server1.example.com, you can work with cookies for both server1.example.com and example.com.

You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.uk", but can for "example.com" or "example.co.uk".

So, only what you need is to make authentication cookies domain-wide.

Setting it up

You must setup authentication in system.web section of your web.config file as usual, for example:

XML
<authentication mode="Forms">
  <forms name=".EXAMPLE-AUTH" loginUrl="/Login.aspx" 
               protection="All" timeout="30" path="/" />
</authentication>

As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:

XML
<machineKey
  validationKey="BD52058A3DEA473EA99F29418689528A494DF2B00054BB7C" 
  decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885" 
/>

The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.

Signing on

You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):

VB
Dim C As System.Web.HttpCookie = _
         System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = "example.com"
Response.AppendCookie(C)
Response.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName, 
                                                                           False))

Signing off

Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.

You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:

VB
Dim C As System.Web.HttpCookie = _
         Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(C)

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Software Developer Altairis
Czech Republic Czech Republic

Software architect and developer in Altairis, dev shop in Czech republic. Microsoft Most Valuable Professional (MVP) since 2004.


See my open source project at Codeplex.


Comments and Discussions

 
Questionasp.net sso Pin
wissamtannous2-Oct-13 22:23
wissamtannous2-Oct-13 22:23 
GeneralThanks Pin
debayan nanda23-Apr-11 9:32
debayan nanda23-Apr-11 9:32 
GeneralSSO in ASP.NET to view SAP IView Pin
Netweb9-Nov-09 2:37
Netweb9-Nov-09 2:37 
GeneralCookies Across Domains Pin
mohit232320-Apr-08 1:26
mohit232320-Apr-08 1:26 
GeneralFacing problem with Domain and subdomain Pin
Javad Mehmood26-Dec-07 8:37
Javad Mehmood26-Dec-07 8:37 
GeneralRe: Facing problem with Domain and subdomain Pin
PranjaliBhide13-Aug-08 3:18
PranjaliBhide13-Aug-08 3:18 
Questionon different domains? Pin
dagarwal827-Nov-06 20:24
dagarwal827-Nov-06 20:24 
GeneralLogging out not working. Pin
Nigel Liefrink 221-Aug-06 20:39
Nigel Liefrink 221-Aug-06 20:39 
GeneralProblem when is not persistant Pin
Farshid Zavareh15-Mar-06 9:11
Farshid Zavareh15-Mar-06 9:11 
GeneralRe: Problem when is not persistant Pin
Farshid Zavareh16-Mar-06 1:35
Farshid Zavareh16-Mar-06 1:35 
Questionlocalhost Pin
xgnitesh9-Feb-06 5:45
xgnitesh9-Feb-06 5:45 
AnswerRe: localhost Pin
davidhart4-Sep-07 6:57
davidhart4-Sep-07 6:57 
QuestionRe: localhost Pin
Ofir-z1-Aug-08 5:37
Ofir-z1-Aug-08 5:37 
AnswerRe: localhost Pin
Ofir-z1-Aug-08 5:44
Ofir-z1-Aug-08 5:44 
GeneralTIcket pass Worked in ASP 1.1 but not in 2.0.. Pin
Pchao25-Dec-05 16:21
Pchao25-Dec-05 16:21 
GeneralRe: TIcket pass Worked in ASP 1.1 but not in 2.0.. Pin
mrbikejoc7-Feb-08 14:52
professionalmrbikejoc7-Feb-08 14:52 
GeneralPls highlight the importance of &lt;machineKey&gt; Pin
Anonymous20-Oct-05 9:17
Anonymous20-Oct-05 9:17 
GeneralCannot logout Pin
Jong-Hyun9-May-05 11:06
Jong-Hyun9-May-05 11:06 
GeneralJOSSO Single Sign-On supports ASP Pin
Anonymous8-Mar-05 2:50
Anonymous8-Mar-05 2:50 
GeneralRe: JOSSO Single Sign-On supports ASP Pin
ayurhdfkl1-Aug-07 0:02
ayurhdfkl1-Aug-07 0:02 
Questioniframe and form authentication? Pin
devvvy18-Feb-05 20:08
devvvy18-Feb-05 20:08 
GeneralSingle sign on within sub domain Pin
Gurumoorthi Kumar2-Jan-05 18:09
sussGurumoorthi Kumar2-Jan-05 18:09 
GeneralRe: Single sign on within sub domain Pin
DevDude26-Jan-06 11:35
DevDude26-Jan-06 11:35 
GeneralA better way Pin
Anonymous23-Dec-04 8:39
Anonymous23-Dec-04 8:39 
GeneralRe: A better way Pin
Michal Altair Valášek23-Dec-04 9:54
Michal Altair Valášek23-Dec-04 9:54 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.