Allow cross authentication between web applications

I have a web application with its own user table. I want to integrate a bulletin board with the web site.

The problem is my web application is written vb.net and the bulletin board is written in csharp. Since this is the case they will have to run as two separate web applications and cannot share session data.

My question is how can I share or pass session data so that if the user is logged into my web application they are automatically logged into the bulletin board when the bulletin board is accessed.

I have viewed the following article from MSDN  http://support.microsoft.com/default.aspx?scid=kb;en-us;307467

However, I don't think the MSDN option is viable in my case since I can't use a single consildated web config file as the code languages are different and each separate project has certain things happening in its respective global.asax file.

Will the MSDN solution still work for me if modified correctly? If not what is the best way to perform this cross-authentication by passing session data?

Please do not say pass through a query string as this is just not secure enough for my purposes.
LVL 1
throttlenetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

raterusCommented:
Is the bulletin board software of your own design, or a canned product which you have access to the source code.

Hopefully (This is a big IF), the bulletin board software was done in ASP.net 2.0, and uses the MembershipProvider, that way you could modify the web.config to use your own provider, but if I had to guess it's not like that.

Your other options aren't as easy, somehow you have to pass authentication information to the entry page of the bulletin board application.  Assuming you can modify the code that authenticates in the bulletin board software, you might want to look at setting encrypted cookie (or querystring) in your main app, that the bulletin board software can interpret as "ok to authenticate" based on perhaps a shared key in both applications.  For example, in your main app, you have their username.  You can then hash their username + shared key to create a mess of a string.  Pass that to the bulletin board, along with their username in plan text.  Your bulletin board software then hashes the username/shared key and the two had better match or they are not authenticated.
0
dtryonCommented:
The way we solved a similar issue was to attach an HttpModule that simply checks authentication information to the 'child' app.  Then we added a database table that received entries for logged in users to manage the state.  However, since you are both in .NET, managing state may be easier.

The HttpModule will run for each web request.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
throttlenetAuthor Commented:
Raterus,

The bulletin board is a canned product which is not in .Net 2.0 - We have considered and mapped out a potential solution utilizing passing an encrypted variable and some database work.


dtryon, can you elaborate a little further on your solution and provide some detail on how to implement this?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

throttlenetAuthor Commented:
What about using SQL Server Out of Proc to store my session values? Does this give me access to another way to accomplish this task?
0
dtryonCommented:
Hi,
Yes, let me elaborate a little further.  Not sure if this is a good fit for your situation, but hopefully this post will help you consider it.  Since an HttpModule runs at every web request, it is easy to insert some code into one of its hook methods in order to check for security conditions.  HttpModules are pretty easy to get up and running as well.  The scenario that we had was one where we essentially wanted a single sign on through one 'gateway' site, which had a form.  For us, there was a forums web app that was third party.  We had this our forums app placed in the same application, but in a sub-folder.  This set up the correct circumstances to use an HttpModule because everything was under one application domain and therefore we could add the HttpModule to the web.config.

Since an HttpModule runs at every web request, it helps elimate a security module where you must add functionality to make a security check to every page of your application.  The code runs, but doesn't clutter the rest of your code.

HttpModules have many events that you can override and use to hook into.
For a quick refresher about HttpModules checkout:
http://www.devx.com/dotnet/Article/6962/0/page/4

I also found this post which might be useful:
http://cephas.net/blog/2003/09/25/aspnet_httpmodule_security_example.html
0
dtryonCommented:
Oh, I forgot to add that we used SQL server as a repository for security session variables.  We did this by generating a guid for each new user, and saving that information down to SQL server.  There may be a better way to do this, but it worked for us.  We used SQL server because one of our apps was a classic asp app and the other was a .NET app.

The main problem with this was cleaning the session information out of SQL server.  I tried to use the End_Session event, but that event acted a bit mysteriously since people usually just close their browser when done with a web app.

This was the MSDN article I read before using SQL Server:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/converttoaspnet.asp
0
throttlenetAuthor Commented:
dtryon,

Thanks for all the information, I will review the articles and give this a whirl. I'll let you know what we come up with and will award some points no matter which direction we go.
0
dtryonCommented:
Best of luck,
I remember a good article that came through www.asp.net last month about HttpModules as Html filters.  If you could find that it may be of use as well.  It had more source code and went into the event cycle more in depth.  I looked quickly but couldn't find it.

Oh wait, just found it:

http://devel.oping.net/content/modifying-page-output-using-response-filters.aspx
0
throttlenetAuthor Commented:
Sweet, thanx i will take a look at that also.
0
throttlenetAuthor Commented:
Thanx for all the help, I ended up not actually using the above solution but it is still an excellent solution and I will this in my bag of tricks for further use.

I actually solved the problem by using a cooking that contained encrypted values. Probably not the most elegant or 100% secure solution, but in my case this was an acceptable solution. The bulletin board was already using a cookie to store information so I went ahead and created the cookie on the main apps login. This allow the bulletin to just load up with the user already authenticated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.