Using FormsAuthentication between two ASP.NET web applications

Posted on 2004-08-26
Last Modified: 2012-06-27
I am adding functionality to an existing web application based on DotNetNuke, which uses FormsAuthentication for user authentication. One page I am working on allows the user to edit their personal settings such as name, address, e-mail details etc. They will also be able to edit their credit card details which are used for the recurring monthly payment for our website.

I want to put the "Edit Credit Card Details" page behind a secure connection. We have our main website ( which hosts the main application. We also have another domain: which has a valid certificate for SSL. I have tried creating a second Web Application to run on the secure server, allowing the credit card related communication to be secure.

When I use Response.Redirect() from the first project to send the user to the second one, any checking of Request.IsAuthenticated returns false, even when the requests in the other application were authenticated. I realise this must be due to the fact that I am running two separate applications. The problem is that I don't want to force the user to log in a second time. The transition from open server to secure server should be fairly smooth and swift for the user.

How can I best allow the user to edit their credit card details behind ssl while keeping the rest of the website outside of the secure server?
Question by:tacf

Expert Comment

ID: 11907572
The best way would be to put the entire site on the secure server.

If not then you need to create a cookie file for the secure domain from the non-secure domain.  then when the user gets to the secure page, check for cookies and authenticate autimatically if it exists.

if this does not make sense let me know and I will search for an example.

Author Comment

ID: 11907667
I don't want to put the whole thing on the secure server because it would really hit performance, as far as I can tell, and it'd be a pretty major operation. (My deadline is REALLY close, so I'm in a bit of a panic here!)

I believe that the first application creates a cookie when the user is authenticated so I can check for the existance of that cookie on the secure server. However, I don't know really how to extract the userid from that cookie so I can subsequently retrieve the username/password from the server to do the all important AuthenticateAndRedirectUser(username, password) command.

Expert Comment

ID: 11907870
This is super simple.  

Find where the cookie is created on the non-secure server.

then copy that code and paste it again in the same spot, except this time set the domain property to be

see here:

now when a script on looks for the info it will find it in its own cookie.

Author Comment

ID: 11907936
I'll try this. There's one slight complication. The cookie that stores the user's data is specified in the web.config file:

    <authentication mode="Forms">
      <forms name=".DOTNETNUKE" protection="All" timeout="60" />

I have confirmed this by changing the name in the quotes and noting that the name of the cookie changes. The cookie contains a single value which is a big long messy string like JKBWEBWEITBEIOWRBEOWIROIETN, probably encrypted or something like that. Is there a way of extracting the data from such a cookie?
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.


Author Comment

ID: 11908159
I've found out some more info but I fear I'm heading towards a dead end.

1) The cookie that's created by the FormsAuthentication is called ".DOTNETNUKE" (as specified in the web.config file) and its value is a big nasty string.

2) I can extract the FormsAuthenticationTicket from this cookie:

Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.Cookies(".DOTNETNUKE").Value)

3) I can then use ticket.Name to find the userID that matches the identity column of the [Users] table in my SQL Database.

There's only one problem with this, the FormsAuthentication.Decrypt() method fails when I run it in the other application. I get an exception:

System.Security.Cryptography.CryptographicException: Bad Data

Even though both of my web.config files have the same structure for authentication, the data contained in the cookie must specify the application it belongs to as a security measure. Maybe this technique is not the right way to do it.

At the very least, I have learned that the existance of a .DotNetNuke cookie means someone is logged in. That's at least a start.I just need to find a way of getting the userid.

Expert Comment

ID: 11911024
Hi all,

I do not know ASP so maybe this won't help much, but just in case here it is :
- once the user is authenticated, you could store that information on the server by saving (to a database for example) it's session ID (there must be a way of getting the browser session ID in ASP).
- when the user is on the nonsecure server, have the server-side scripts check the dtabase to see if a matching browser session ID is declared as authenticated.

From what I know, session IDs are attributed to the browser by the server in some unique way (another one of those big long gibberish strings), so if on one end a session ID is declared as authentic, the same session ID on the other end should be the same exact authenticated browser !

Hope that helps !


Expert Comment

ID: 11920170
Just try using a state server for your applications.

That way the cookies will still be valid between requests.

First thing you want to do is set the Mode attribut of the Sessionstate element to "StateServer":


changes to


Set up a state server on the web server by starting the "ASP.NET Session Server" service.
Configure the StateConnectionString attribute so that it points to your state server.

To find out more:

Accepted Solution

RomMod earned 0 total points
ID: 12411447
The question has been PAQ'd and the 500 points have been refunded.
Community Support Moderator

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
API Soap Calls 4 91
Remove right text widget from smaller screens 15 94
cookies analysis tools 2 72
keyword rich ebay title, description 1 7
Problem to be resolved in this article Currently, development of website and web application can be done without writing thousands of lines of programming code by hand. Description This can be done through by using a open source framework such …
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now