Using FormsAuthentication between two ASP.NET web applications

I am adding functionality to an existing web application based on DotNetNuke, which uses FormsAuthentication for user authentication. One page I am working on allows the user to edit their personal settings such as name, address, e-mail details etc. They will also be able to edit their credit card details which are used for the recurring monthly payment for our website.

I want to put the "Edit Credit Card Details" page behind a secure connection. We have our main website ( which hosts the main application. We also have another domain: which has a valid certificate for SSL. I have tried creating a second Web Application to run on the secure server, allowing the credit card related communication to be secure.

When I use Response.Redirect() from the first project to send the user to the second one, any checking of Request.IsAuthenticated returns false, even when the requests in the other application were authenticated. I realise this must be due to the fact that I am running two separate applications. The problem is that I don't want to force the user to log in a second time. The transition from open server to secure server should be fairly smooth and swift for the user.

How can I best allow the user to edit their credit card details behind ssl while keeping the rest of the website outside of the secure server?
Who is Participating?
RomModConnect With a Mentor Commented:
The question has been PAQ'd and the 500 points have been refunded.
Community Support Moderator
The best way would be to put the entire site on the secure server.

If not then you need to create a cookie file for the secure domain from the non-secure domain.  then when the user gets to the secure page, check for cookies and authenticate autimatically if it exists.

if this does not make sense let me know and I will search for an example.
tacfAuthor Commented:
I don't want to put the whole thing on the secure server because it would really hit performance, as far as I can tell, and it'd be a pretty major operation. (My deadline is REALLY close, so I'm in a bit of a panic here!)

I believe that the first application creates a cookie when the user is authenticated so I can check for the existance of that cookie on the secure server. However, I don't know really how to extract the userid from that cookie so I can subsequently retrieve the username/password from the server to do the all important AuthenticateAndRedirectUser(username, password) command.
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

This is super simple.  

Find where the cookie is created on the non-secure server.

then copy that code and paste it again in the same spot, except this time set the domain property to be

see here:

now when a script on looks for the info it will find it in its own cookie.
tacfAuthor Commented:
I'll try this. There's one slight complication. The cookie that stores the user's data is specified in the web.config file:

    <authentication mode="Forms">
      <forms name=".DOTNETNUKE" protection="All" timeout="60" />

I have confirmed this by changing the name in the quotes and noting that the name of the cookie changes. The cookie contains a single value which is a big long messy string like JKBWEBWEITBEIOWRBEOWIROIETN, probably encrypted or something like that. Is there a way of extracting the data from such a cookie?
tacfAuthor Commented:
I've found out some more info but I fear I'm heading towards a dead end.

1) The cookie that's created by the FormsAuthentication is called ".DOTNETNUKE" (as specified in the web.config file) and its value is a big nasty string.

2) I can extract the FormsAuthenticationTicket from this cookie:

Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.Cookies(".DOTNETNUKE").Value)

3) I can then use ticket.Name to find the userID that matches the identity column of the [Users] table in my SQL Database.

There's only one problem with this, the FormsAuthentication.Decrypt() method fails when I run it in the other application. I get an exception:

System.Security.Cryptography.CryptographicException: Bad Data

Even though both of my web.config files have the same structure for authentication, the data contained in the cookie must specify the application it belongs to as a security measure. Maybe this technique is not the right way to do it.

At the very least, I have learned that the existance of a .DotNetNuke cookie means someone is logged in. That's at least a start.I just need to find a way of getting the userid.
Hi all,

I do not know ASP so maybe this won't help much, but just in case here it is :
- once the user is authenticated, you could store that information on the server by saving (to a database for example) it's session ID (there must be a way of getting the browser session ID in ASP).
- when the user is on the nonsecure server, have the server-side scripts check the dtabase to see if a matching browser session ID is declared as authenticated.

From what I know, session IDs are attributed to the browser by the server in some unique way (another one of those big long gibberish strings), so if on one end a session ID is declared as authentic, the same session ID on the other end should be the same exact authenticated browser !

Hope that helps !

Just try using a state server for your applications.

That way the cookies will still be valid between requests.

First thing you want to do is set the Mode attribut of the Sessionstate element to "StateServer":


changes to


Set up a state server on the web server by starting the "ASP.NET Session Server" service.
Configure the StateConnectionString attribute so that it points to your state server.

To find out more:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.