Solved

Shared Forms authentication .NET Websites

Posted on 2013-12-05
7
436 Views
Last Modified: 2013-12-15
We have one pre existing web application that uses Forms authentication, we want to make a 1 page ASPX page in c# that would display the current logged in User Name or NOT LOGGED IN for the text.

This 1 Page website would be on the same server but a separate Application Pool and Separate Site.
 The Web URL's would be like

acme.com
sample.acme.com - 1 Page website - Deafult.aspx only.

I am more looking for working example, what I have so far is this, but it is not carrying over the logged in state.

http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
0
Comment
Question by:EazyWorks
  • 4
  • 3
7 Comments
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 39700088
That only allows you the share the same login details, not the actual sessions.

i.e. All users can login and use both sites. But a session is only ever on the one site - there is no *easy* way to share sessions between the sites.

If you absolutely must run this as a separate site (which is what is adding the complexity) then off the cuff I recon the easiest way would be to write a tiny web service on your main site which the second site can query to get a list of current logged in users. (Unless you store the sessions in SQL Server, in which case you can query the database directly).

Your web service would need to do something similar to this http://stackoverflow.com/questions/1470334/list-all-active-asp-net-sessions
0
 

Author Comment

by:EazyWorks
ID: 39707190
That is strange, as connecting to the same database to share the authentication would just require putting the same connection string, what is the point of these extra settings??
I was hoping someone else would also put up some information because I am not sure this is correct.

For example if I want application A and B to have the same log in(s) I would just need to authenticate with the same SQL connection string, the other info listed in the article about matching Machine keys, making sure the validation name is the same is all not needed.

I am pretty sure these settings are for what I was describing where you can save a session and move from site to site as long as you match up these settings correctly.

I get your suggestion as well, but we will not be doing it this way, but thanks.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 39707255
I can assure you I am correct - I've done a lot of work in this area.

Where you store the authentication details of the users who can login to your system is completely separate from where you store who is currently logged in.

You can happily share the database which stores the user details but you cannot (easily) share session state. You would have to write your own session management code.

Here are the details on how sessions are stored http://msdn.microsoft.com/en-us/library/ms178586.ASPX

By default they are stored 'InProc' i.e. in process memory. You can store them in SQL server which in theory would mean you could roll your own session management, and then share them between sites. But out of the box you can't do that.

I hope that makes sense, that the list of allowed users is stored and managed completely separately from the list of sessions.

If you do a google search you will find the same answer https://www.google.co.nz/search?q=share+session+state+between+2+sites&oq=share+session+state+between+2+sites&aqs=chrome..69i57.6583j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8

Of interest might be http://stackoverflow.com/questions/616046/passing-session-data-between-asp-net-applications which seems to imply you can solve the problem by having an external third party manage your sessions. Mozilla Persona does this also.

Good luck.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 

Author Comment

by:EazyWorks
ID: 39707311
I got it to work, thanks for your input.
0
 

Accepted Solution

by:
EazyWorks earned 0 total points
ID: 39709060
I ended up following this article and I think what I was missing was the domain in the settings of the web.config.

http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=vs.100).aspx

I also want to emphasize this quote in this article.
 
"When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications."

I also ran across another article mentioning that if you try to do this from .net 2.0 to .net 4.0 you need to add this tag in the machineKey section
decryption="3DES"

I have this working with two .NET application both .NET 4.0, in different folders, and separate application pools. In my running system I can go from one system to the other without having to log in, and it carries over the same logged in user and access rights into the new application.

Based on my research this is also key to a web-farm servers that have several servers supporting the same system, it would not be effective if you had to keep signing in.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 39709597
Thats very interesting. I suspect if you were to store anything in a sessions variable you would lose that.

I also wonder how it manages to share the authentication cookie across multiple domains - normally a cookie is associated with a single domain only.

Well done anyway.
0
 

Author Closing Comment

by:EazyWorks
ID: 39719738
It worked
0

Featured Post

The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Name Space error VS2015 1 23
Easy filter aspnet 2 24
asp Google Map 2 27
asp.net mvc 2 22
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question