Shared Membership Provider

Question

Hi,

We have created a custom membership provider that we are using in one of our applications and now I would like to use the same provider for all our applications so that you only have to login once and stay logged in when you switch between applications.

Just by using the same provider in web.config for different applications doesnt do the trick, we still have to login for each applications. Maybe its not possible to do this automatic, do you have to check the cookie manually?

Do you guys have any resources to read or suggestions I would really appreciate it.

Answer 1

If you're talking about some sort of single signon, maybe you need to look at creating some sort of gateway system which users can authenticate against which will issue a token which other systems can use to authenticate. A very basic architecture could work like this:

The user logs in on your gateway system, and if they're successfully authenticated then a token is generated, stored as a record in a database and then sent back to the client. The client then redirect to whatever application, sending it the token somehow, maybe via querystring in the browser. The application then authenticates its requests by checking for a valid record in the database which the gateway system should have entered.

This is a very basic method and there are obviously all sorts of security issues which you'll need to consider. You'll need to hash the token and set an expiry etc.

Answer 2

The simplest: in web.config you have something like:

      <authentication mode="Forms">
        <forms name=".ASPXFORMAUTH" loginUrl="Login.aspx" domain="YOURDOMAIN" 
         ...

If your applications can be grouped by "domain" attribute - then security cookies will be transfered successfully.