• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 577
  • Last Modified:

ASP.NET Membership - One Login Multiple Domains

I have one .NET application which runs multiple websites - each on a different domain. (each website shows different products, but is controlled by the same application) If a user logs in to the website on one domain how can I set up that they will be logged in on all of the domains?
0
LockDev
Asked:
LockDev
  • 3
  • 3
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
use the same aspdb database
0
 
Alan WarrenCommented:
Hi LockDev,

Did this the other day on my local dev server, it's definitely doable...

You need one sql database catalog that has the aspnet_membership objects installed.

Two or more sites with a valid connection string defined in their respective web.config files, for connecting to the SQL database catalog.

The web.config in the two or more sites need to intialise the membership provider and roles provider.

More info:
asp.net login.aspx DefaultMembershipProvider to query an sql table for users?

Using the same membership for multiple websites in asp.net

Alan
0
 
LockDevAuthor Commented:
I use the same aspdb database. On localhost once I am log into one website, I am logged into all webseites. However, on the live server, if I am logged into one website which is on domainA.com, I am not logged into domainB.com.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Alan WarrenCommented:
You mean like Google accounts, if you log into your main google account, you don't have to login to gmail, webmaster tools, adsense and calendar, you are automatically authenticated in the other sites?

Google uses an AuthSub ticket stored in browser session, I guess you could create a session variable that's populated when the user logs into any of the sites, then when they navigate to the other site, the site checks for the session variable, if it exists and hasn't expired the membership provider logs the user in automatically.

You would need to store the ticket in session state encrypted, from which you could decrypt the users credentials.

Your login page on each site could have some onload procedure to check for the ticket, parse the login credentials and then invoke the Membership.ValidateUser method using the credentials gleaned from the session.    
    Dim strRoot As String = ""
    Dim UserName As String = ""
    Dim Password As String = ""
    If Session("UserName") IsNot Nothing Then
      ' it would be better if these values were encrypted.
      UserName = Session("UserName").ToString
      Password = Session("Password").ToString

    ' Call the constructor  to create an instance of NetworkCredential with the 
    ' specified user name and password. 
    Dim myCredentials As New System.Net.NetworkCredential(UserName, Password)

        ' try to login using the credentials we have
        If Membership.ValidateUser(UserName, Password) Then
          FormsAuthentication.RedirectFromLoginPage(UserName, True)
          
          ' get the web root path
          If Request.IsSecureConnection Then
            strRoot = String.Format("https://{0}{1}", Request.Url.Host, Page.ResolveUrl("~/"))
          Else
            strRoot = String.Format("http://{0}{1}", Request.Url.Host, Page.ResolveUrl("~/"))
          End If
          
          ' redirect user,
          ' might be nice to get the ReturnUrl from the login query string here.
          ' eg. ?ReturnUrl=%2fmembers%2f
          ' If request.querystring("ReturnUrl") isnot nothing then ...
          Response.Redirect(strRoot), False)

    End If

Open in new window

Alan
0
 
LockDevAuthor Commented:
Alan,

Thank you for your help. Will a session work between domains? Also, if a user closes their browser, then they would lose the session?
0
 
Alan WarrenCommented:
Hi LockDev,
Session will work for the current user between domains, using the same browser.

No guarantee to destroy session on closing the browser, cookie.expires determines the persistence of session. Easy enough to test, login using a browser, possibly good plan to test the big 3 browsers (IE,FF & GC); after logging in, kill the browser, then open the browser again, navigate to the site again, if you are still logged in, you have your answer; fairly sure you will be still logged in. All bets are off if you have opted for the browser to remember your login credentials, in which case you will definitely be logged in.

Alan
0
 
LockDevAuthor Commented:
I would like to revisit this issue. I was thinking about another possibilty. Is it possible to use the DotNetOpenAuth library where our main website is an OpenID provider and all the other websites are OpenID users.

Thank you.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now