Sharing authentication between two web applications

Robert Koritnik picture Robert Koritnik · Oct 27, 2010 · Viewed 21.7k times · Source

I have a base web site (Asp.net WebForms application) running under ie.

http://localhost:90/

Then I created a new (this time Asp.net MVC) application and added it under

http://localhost:90/mvc/

but not just as a simple virtual folder, but as an application folder by defining a different application pool to run it, compared to the parent application.

Since browsers can't know that there are two different application basically on the same domain it would work like:

  1. user accesses http://localhost:90/
  2. parent app redirects the user to forms authentication screen
  3. user successfully logs in
  4. parent web adds an authentication cookie
  5. user accesses http://localhost:90/mvc
  6. browser attaches the same cookie from parent app

Is it possible that I authenticate the user based on this same cookie? I would configure my MVC application to login redirect to parent app to have a shared authentication screen. But I'd like to know who authenticated and work from that point on.

I've read something about sharing the same system.web/machineKey values to provide this kind of functionality, but I would like some real world examples.

I'm aware that these two applications will not be able to share Session state and that's not a problem, because I don't want them to. All I want is a kind of single login (SSO/SSS)

Is this possible? How?

Important

I've read other questions/answers about this, but they are either asking about cross-domain/cross-server etc. This one is on the same IIS web site.

Answer

Robert Koritnik picture Robert Koritnik · Oct 27, 2010

I found it myself.

This is the article on MSDN that talks exactly about this scenario. I decided to keep this question anyway for anyone that would be chasing the same information some time later.

MSDN: Forms Authentication Across Applications

In brief

You have to configure machine keys in web.config of both applications so they match hence they'll be able to decode data that the other party generated. And that's the whole trick. MSDN article explains this in great detail including how to generate those keys.