Share Session Between two .net 4.0 web applications (domain and subdomain) using Windows Server AppFabric session cache SECURELY

Question

I have two applications, one on a primary domain and the other on another domain. One is a legacy site and the other is a new site. We are slowly converting the legacy site (4.0) using a mix of classic asp, .Net2 webforms, and MVC3 to the new site (4.5) which uses MVC4. It is not possible to convert the entire legacy site at this time.

The requirement is to seamlessly click a link on either site and transition to the other site. The user should not notice that site1 is not part of site2 and vice-versa. The authentication is a mix of windows auth behind a firewall dmz and external customer facing site using a custom login and SSL.

The user session and data must be shared in some way between app1 and app2. It is a government site so security is of the highest priority. This will also be in a load balanced environment running Windows Server 2012.

I am unsure of the approaches for the following:

1. The best and most secure way to share these sessions. Appfabric on the Win2012, State Server, and SQL Server (I know AF can use this as a provider) are all fair game.

2. How to transition the Browser UI Pages seamlessly. I thought about possibly using a master Unified UI menu with IFrames that loaded either App1 or App2. I feel that is not best or most secure method however. The prerequisite will be javascript enabled users only.

I have done research on this topic and looked at Appfabric session cache with the sharedid in the web config, but I am not sure if that is the preferable way to go or if that even meets part of my requirement.

Any assistance would be very much appreciated.

Thank you!

Answer 1

Yes, AppFabic Session State provider can easily share session between applications. By default, data sent between cache clients and the cache cluster is encrypted and signed. In addition, any clients of the cache cluster must be specifically added to the allowed client account list via Grant-CacheAllowedClientAccount cmdlet. From this point of view, it' secure.

I have two applications, one on a primary domain and the other on another domain.

That's the problem.It's always usefull to review basic session concepts. As a session state provider, AppFabric uses SessionID to get/store session content in the distributed cache (Note : it's the same for all providers). By default, SessionID values are stored in a cookie. Cookies have a scope = the domain (and path) : They tell the browser that cookies should only be sent back to the server for the given domain and path. Obviously, it's useless and unsecure to send cookies from domainA to domainB.

Sharing sessions between web sites means that you must share asp.net session cookies between websites. If siteA is hosted on domainA and siteB hosted on domainB, it's impossible (note : if someone has a solution, I'm very interested).