Using FormsAuthentication between two ASP.NET web applications

Posted on 2004-08-26
Last Modified: 2012-06-27
I am adding functionality to an existing web application based on DotNetNuke, which uses FormsAuthentication for user authentication. One page I am working on allows the user to edit their personal settings such as name, address, e-mail details etc. They will also be able to edit their credit card details which are used for the recurring monthly payment for our website.

I want to put the "Edit Credit Card Details" page behind a secure connection. We have our main website ( which hosts the main application. We also have another domain: which has a valid certificate for SSL. I have tried creating a second Web Application to run on the secure server, allowing the credit card related communication to be secure.

When I use Response.Redirect() from the first project to send the user to the second one, any checking of Request.IsAuthenticated returns false, even when the requests in the other application were authenticated. I realise this must be due to the fact that I am running two separate applications. The problem is that I don't want to force the user to log in a second time. The transition from open server to secure server should be fairly smooth and swift for the user.

How can I best allow the user to edit their credit card details behind ssl while keeping the rest of the website outside of the secure server?
Question by:tacf

Expert Comment

ID: 11907572
The best way would be to put the entire site on the secure server.

If not then you need to create a cookie file for the secure domain from the non-secure domain.  then when the user gets to the secure page, check for cookies and authenticate autimatically if it exists.

if this does not make sense let me know and I will search for an example.

Author Comment

ID: 11907667
I don't want to put the whole thing on the secure server because it would really hit performance, as far as I can tell, and it'd be a pretty major operation. (My deadline is REALLY close, so I'm in a bit of a panic here!)

I believe that the first application creates a cookie when the user is authenticated so I can check for the existance of that cookie on the secure server. However, I don't know really how to extract the userid from that cookie so I can subsequently retrieve the username/password from the server to do the all important AuthenticateAndRedirectUser(username, password) command.

Expert Comment

ID: 11907870
This is super simple.  

Find where the cookie is created on the non-secure server.

then copy that code and paste it again in the same spot, except this time set the domain property to be

see here:

now when a script on looks for the info it will find it in its own cookie.
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.


Author Comment

ID: 11907936
I'll try this. There's one slight complication. The cookie that stores the user's data is specified in the web.config file:

    <authentication mode="Forms">
      <forms name=".DOTNETNUKE" protection="All" timeout="60" />

I have confirmed this by changing the name in the quotes and noting that the name of the cookie changes. The cookie contains a single value which is a big long messy string like JKBWEBWEITBEIOWRBEOWIROIETN, probably encrypted or something like that. Is there a way of extracting the data from such a cookie?

Author Comment

ID: 11908159
I've found out some more info but I fear I'm heading towards a dead end.

1) The cookie that's created by the FormsAuthentication is called ".DOTNETNUKE" (as specified in the web.config file) and its value is a big nasty string.

2) I can extract the FormsAuthenticationTicket from this cookie:

Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.Cookies(".DOTNETNUKE").Value)

3) I can then use ticket.Name to find the userID that matches the identity column of the [Users] table in my SQL Database.

There's only one problem with this, the FormsAuthentication.Decrypt() method fails when I run it in the other application. I get an exception:

System.Security.Cryptography.CryptographicException: Bad Data

Even though both of my web.config files have the same structure for authentication, the data contained in the cookie must specify the application it belongs to as a security measure. Maybe this technique is not the right way to do it.

At the very least, I have learned that the existance of a .DotNetNuke cookie means someone is logged in. That's at least a start.I just need to find a way of getting the userid.

Expert Comment

ID: 11911024
Hi all,

I do not know ASP so maybe this won't help much, but just in case here it is :
- once the user is authenticated, you could store that information on the server by saving (to a database for example) it's session ID (there must be a way of getting the browser session ID in ASP).
- when the user is on the nonsecure server, have the server-side scripts check the dtabase to see if a matching browser session ID is declared as authenticated.

From what I know, session IDs are attributed to the browser by the server in some unique way (another one of those big long gibberish strings), so if on one end a session ID is declared as authentic, the same session ID on the other end should be the same exact authenticated browser !

Hope that helps !


Expert Comment

ID: 11920170
Just try using a state server for your applications.

That way the cookies will still be valid between requests.

First thing you want to do is set the Mode attribut of the Sessionstate element to "StateServer":


changes to


Set up a state server on the web server by starting the "ASP.NET Session Server" service.
Configure the StateConnectionString attribute so that it points to your state server.

To find out more:

Accepted Solution

RomMod earned 0 total points
ID: 12411447
The question has been PAQ'd and the 500 points have been refunded.
Community Support Moderator

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question