Shared User Session for Multiple ASP.NET Websites

Question

I have been tasked with developing a single Login and Dashboard page that user can login too, the user will then be shown all the systems (we developed) that they have access based to based on some roles stored in our databases.

If they logged in we would like that "User Session" (not sure of correct terminology) to be carried to which ever system they are redirected too.

To illustrate a very rough overview of what I want to achieve:

Is there a way that a user can login in one site, and then carry over that login to the other sites?

Help, Advice, Link will be much appreciated.

Sorry I am not experienced at ASP.net but have a good understanding of Silverlight, C#, WPF.

Thanks in advance.

Answer 1

Hi, You can use the concepts of single-sign on. You can manage your session data as out-proc, i.e. in a SQL server or a State server. Here are couple of links which will give you some pointers:

1. ASP Allaince
2. MSDN

Edit: Alo look at this question in SO:

Answer 2

One way would be to use the session state service that ASP.NET provides. Basically once the user logs in, that session could be stored on a separate process (and not be a part of aspnet_wp). All your applications would need to be modified to go to that machine to fetch user authentication status. Search Google/MSDN for Session Management techniques.

Answer 3

One method that I would use is that you implement your own authentication system - almost like the ASP.NET 1.x days. However, the trick is that you establish a cookie for each domain (host part of the URL) with an authentication cookie.

If all of those systems are running on the same server, I am sure you will be able to use all the FormsAuthentication methods and the Membership API. If they are not [edit: hosted on the same server], then ensure that they configured to encrypt the authentication cookies with the same keys. Implementation of this bit will be by what mileage you need to do...

One thing to notice is that you may also establish only one cookie is sent to the browser but shared by all the applications. Imagine that you have the following URL's:

1. dashboard.com
2. myapp1.dashboard.com
3. myapp2.dashboard.com
4. myapp3.dashboard.com

Setting a single cookie to the domain "dashboard.com" will send and share the same cookie to all the other domains.

The shared session states as described by the other posters will not work. The way session variables work on the server is that an unique key is generated on the server for your data storage (whatever the medium is: in proc, out of proc, SQL server). That unique key is stored in a cookie where it is sent to your browser as the host part.

I hope that gives you some insight on how to go about tackling the single sign in solution that you are making.