Using FormsAuthentication between two ASP.NET web applications

Posted on 2004-08-26
Last Modified: 2012-06-27
I am adding functionality to an existing web application based on DotNetNuke, which uses FormsAuthentication for user authentication. One page I am working on allows the user to edit their personal settings such as name, address, e-mail details etc. They will also be able to edit their credit card details which are used for the recurring monthly payment for our website.

I want to put the "Edit Credit Card Details" page behind a secure connection. We have our main website ( which hosts the main application. We also have another domain: which has a valid certificate for SSL. I have tried creating a second Web Application to run on the secure server, allowing the credit card related communication to be secure.

When I use Response.Redirect() from the first project to send the user to the second one, any checking of Request.IsAuthenticated returns false, even when the requests in the other application were authenticated. I realise this must be due to the fact that I am running two separate applications. The problem is that I don't want to force the user to log in a second time. The transition from open server to secure server should be fairly smooth and swift for the user.

How can I best allow the user to edit their credit card details behind ssl while keeping the rest of the website outside of the secure server?
Question by:tacf

Expert Comment

ID: 11907572
The best way would be to put the entire site on the secure server.

If not then you need to create a cookie file for the secure domain from the non-secure domain.  then when the user gets to the secure page, check for cookies and authenticate autimatically if it exists.

if this does not make sense let me know and I will search for an example.

Author Comment

ID: 11907667
I don't want to put the whole thing on the secure server because it would really hit performance, as far as I can tell, and it'd be a pretty major operation. (My deadline is REALLY close, so I'm in a bit of a panic here!)

I believe that the first application creates a cookie when the user is authenticated so I can check for the existance of that cookie on the secure server. However, I don't know really how to extract the userid from that cookie so I can subsequently retrieve the username/password from the server to do the all important AuthenticateAndRedirectUser(username, password) command.

Expert Comment

ID: 11907870
This is super simple.  

Find where the cookie is created on the non-secure server.

then copy that code and paste it again in the same spot, except this time set the domain property to be

see here:

now when a script on looks for the info it will find it in its own cookie.

Author Comment

ID: 11907936
I'll try this. There's one slight complication. The cookie that stores the user's data is specified in the web.config file:

    <authentication mode="Forms">
      <forms name=".DOTNETNUKE" protection="All" timeout="60" />

I have confirmed this by changing the name in the quotes and noting that the name of the cookie changes. The cookie contains a single value which is a big long messy string like JKBWEBWEITBEIOWRBEOWIROIETN, probably encrypted or something like that. Is there a way of extracting the data from such a cookie?
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!


Author Comment

ID: 11908159
I've found out some more info but I fear I'm heading towards a dead end.

1) The cookie that's created by the FormsAuthentication is called ".DOTNETNUKE" (as specified in the web.config file) and its value is a big nasty string.

2) I can extract the FormsAuthenticationTicket from this cookie:

Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.Cookies(".DOTNETNUKE").Value)

3) I can then use ticket.Name to find the userID that matches the identity column of the [Users] table in my SQL Database.

There's only one problem with this, the FormsAuthentication.Decrypt() method fails when I run it in the other application. I get an exception:

System.Security.Cryptography.CryptographicException: Bad Data

Even though both of my web.config files have the same structure for authentication, the data contained in the cookie must specify the application it belongs to as a security measure. Maybe this technique is not the right way to do it.

At the very least, I have learned that the existance of a .DotNetNuke cookie means someone is logged in. That's at least a start.I just need to find a way of getting the userid.

Expert Comment

ID: 11911024
Hi all,

I do not know ASP so maybe this won't help much, but just in case here it is :
- once the user is authenticated, you could store that information on the server by saving (to a database for example) it's session ID (there must be a way of getting the browser session ID in ASP).
- when the user is on the nonsecure server, have the server-side scripts check the dtabase to see if a matching browser session ID is declared as authenticated.

From what I know, session IDs are attributed to the browser by the server in some unique way (another one of those big long gibberish strings), so if on one end a session ID is declared as authentic, the same session ID on the other end should be the same exact authenticated browser !

Hope that helps !


Expert Comment

ID: 11920170
Just try using a state server for your applications.

That way the cookies will still be valid between requests.

First thing you want to do is set the Mode attribut of the Sessionstate element to "StateServer":


changes to


Set up a state server on the web server by starting the "ASP.NET Session Server" service.
Configure the StateConnectionString attribute so that it points to your state server.

To find out more:

Accepted Solution

RomMod earned 0 total points
ID: 12411447
The question has been PAQ'd and the 500 points have been refunded.
Community Support Moderator

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now