Solved

Shared Forms authentication .NET Websites

Posted on 2013-12-05
7
431 Views
Last Modified: 2013-12-15
We have one pre existing web application that uses Forms authentication, we want to make a 1 page ASPX page in c# that would display the current logged in User Name or NOT LOGGED IN for the text.

This 1 Page website would be on the same server but a separate Application Pool and Separate Site.
 The Web URL's would be like

acme.com
sample.acme.com - 1 Page website - Deafult.aspx only.

I am more looking for working example, what I have so far is this, but it is not carrying over the logged in state.

http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
0
Comment
Question by:EazyWorks
  • 4
  • 3
7 Comments
 
LVL 21

Expert Comment

by:Dale Burrell
Comment Utility
That only allows you the share the same login details, not the actual sessions.

i.e. All users can login and use both sites. But a session is only ever on the one site - there is no *easy* way to share sessions between the sites.

If you absolutely must run this as a separate site (which is what is adding the complexity) then off the cuff I recon the easiest way would be to write a tiny web service on your main site which the second site can query to get a list of current logged in users. (Unless you store the sessions in SQL Server, in which case you can query the database directly).

Your web service would need to do something similar to this http://stackoverflow.com/questions/1470334/list-all-active-asp-net-sessions
0
 

Author Comment

by:EazyWorks
Comment Utility
That is strange, as connecting to the same database to share the authentication would just require putting the same connection string, what is the point of these extra settings??
I was hoping someone else would also put up some information because I am not sure this is correct.

For example if I want application A and B to have the same log in(s) I would just need to authenticate with the same SQL connection string, the other info listed in the article about matching Machine keys, making sure the validation name is the same is all not needed.

I am pretty sure these settings are for what I was describing where you can save a session and move from site to site as long as you match up these settings correctly.

I get your suggestion as well, but we will not be doing it this way, but thanks.
0
 
LVL 21

Expert Comment

by:Dale Burrell
Comment Utility
I can assure you I am correct - I've done a lot of work in this area.

Where you store the authentication details of the users who can login to your system is completely separate from where you store who is currently logged in.

You can happily share the database which stores the user details but you cannot (easily) share session state. You would have to write your own session management code.

Here are the details on how sessions are stored http://msdn.microsoft.com/en-us/library/ms178586.ASPX

By default they are stored 'InProc' i.e. in process memory. You can store them in SQL server which in theory would mean you could roll your own session management, and then share them between sites. But out of the box you can't do that.

I hope that makes sense, that the list of allowed users is stored and managed completely separately from the list of sessions.

If you do a google search you will find the same answer https://www.google.co.nz/search?q=share+session+state+between+2+sites&oq=share+session+state+between+2+sites&aqs=chrome..69i57.6583j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8

Of interest might be http://stackoverflow.com/questions/616046/passing-session-data-between-asp-net-applications which seems to imply you can solve the problem by having an external third party manage your sessions. Mozilla Persona does this also.

Good luck.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:EazyWorks
Comment Utility
I got it to work, thanks for your input.
0
 

Accepted Solution

by:
EazyWorks earned 0 total points
Comment Utility
I ended up following this article and I think what I was missing was the domain in the settings of the web.config.

http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=vs.100).aspx

I also want to emphasize this quote in this article.
 
"When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications."

I also ran across another article mentioning that if you try to do this from .net 2.0 to .net 4.0 you need to add this tag in the machineKey section
decryption="3DES"

I have this working with two .NET application both .NET 4.0, in different folders, and separate application pools. In my running system I can go from one system to the other without having to log in, and it carries over the same logged in user and access rights into the new application.

Based on my research this is also key to a web-farm servers that have several servers supporting the same system, it would not be effective if you had to keep signing in.
0
 
LVL 21

Expert Comment

by:Dale Burrell
Comment Utility
Thats very interesting. I suspect if you were to store anything in a sessions variable you would lose that.

I also wonder how it manages to share the authentication cookie across multiple domains - normally a cookie is associated with a single domain only.

Well done anyway.
0
 

Author Closing Comment

by:EazyWorks
Comment Utility
It worked
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now