33

I have a base web site (Asp.net WebForms application) running under ie.

http://localhost:90/

Then I created a new (this time Asp.net MVC) application and added it under

http://localhost:90/mvc/

but not just as a simple virtual folder, but as an application folder by defining a different application pool to run it, compared to the parent application.

Since browsers can't know that there are two different application basically on the same domain it would work like:

  1. user accesses http://localhost:90/
  2. parent app redirects the user to forms authentication screen
  3. user successfully logs in
  4. parent web adds an authentication cookie
  5. user accesses http://localhost:90/mvc
  6. browser attaches the same cookie from parent app

Is it possible that I authenticate the user based on this same cookie? I would configure my MVC application to login redirect to parent app to have a shared authentication screen. But I'd like to know who authenticated and work from that point on.

I've read something about sharing the same system.web/machineKey values to provide this kind of functionality, but I would like some real world examples.

I'm aware that these two applications will not be able to share Session state and that's not a problem, because I don't want them to. All I want is a kind of single login (SSO/SSS)

Is this possible? How?

Important

I've read other questions/answers about this, but they are either asking about cross-domain/cross-server etc. This one is on the same IIS web site.

Robert Koritnik
  • 103,639
  • 52
  • 277
  • 404

2 Answers2

39

I found it myself.

This is the article on MSDN that talks exactly about this scenario. I decided to keep this question anyway for anyone that would be chasing the same information some time later.

MSDN: Forms Authentication Across Applications

In brief

You have to configure machine keys in web.config of both applications so they match hence they'll be able to decode data that the other party generated. And that's the whole trick. MSDN article explains this in great detail including how to generate those keys.

Robert Koritnik
  • 103,639
  • 52
  • 277
  • 404
  • I did every thing my one app is on mvc 4.5 and other is on 3.5 webforms configured to run on local IIS but they are not sharing the cookies :( – Syed Umar Ahmed Feb 20 '14 at 15:02
  • @RobertKoritnik I think one more configuration is missing as both project run on localhost cookie will shared but in actual scenario domain name must be configured for sub domain SSO functionality.e.g for www.example.com,test.example.com,dev.example.com for all these domain name cookie configure for domain ".example.com" so this cookie shared by all sub domain. – anomepani Jul 22 '15 at 07:03
7

If in case anyone is still not able to share the keys use compatibilityMode="Framework20SP1"

<machineKey validationKey="same key all over" 
            decryptionKey="same key all over" 
            validation="SHA1" decryption="AES"
            compatibilityMode="Framework20SP1"/>
KyleMit
  • 30,350
  • 66
  • 462
  • 664
Syed Umar Ahmed
  • 5,612
  • 1
  • 21
  • 23
  • Hi Syed, I tried but still not working - http://stackoverflow.com/questions/34506551/reading-cookie-value-using-url-rewrite-provider-module-unable-to-validate-at/34531147?noredirect=1#comment56945476_34531147 – kudlatiger Jan 06 '16 at 05:36
  • Works for me but wonder if there are disadvantages to going back to .NET 2 compatability – Paul Johnson Mar 16 '16 at 14:44
  • Framework20SP1 is probably best for testing does it work but I think it's recommended to choose newest working compatibility mode from: Framework20SP1 | Framework20SP2 | Framework45. More information: https://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode(v=vs.110).aspx – Risord Nov 13 '17 at 15:59