ASP.NET Single Sign On Issues

Question

Hi All,

I have a challenging scenario here. I have an existing asp.net 1.1 Application A which uses a 3rd party java application for login authentication.

After authentication successfully, the 3rd party application based on the encrypted url redirect to my existing Application A. Application A will than decrypt the url and perform session login for the authenticated user.

I am developing a new Application B (asp.net 2.0) which provide a page for user to select between Application A or B.

I have thought of storing the encrypted url and both Application A & B will based on the encrypted query string to decrypt and authenticate the user appropriately. However, I believe this approach pose a security risk.

Is there any better solutions to implement this?

Answer 1

Where is your user data stored? If it is in a DB table the easiest way to maintain logged in state across multiple web applications with a shared user DB table would be to use something like a GUID based login token stored against the user record in the database. Every time the user logs into an application anew new GUID token is generated. You can then pass this between applications. If the application is passed this guid it auto logs in the relevent user. So long as you use https this is pretty secure. and you are not passing log in info. Even if someone were to somehow find out the GUID it would only be good for a single session.