ASP.NET sessions over multiple domains

Question

Is there a proper .NET solution for providing persistent server sessions over multiple domains?

i.e. If a user of the site logs in under www.site1.com, they will also then be logged in under www.site2.com

Security is an issue with the program we are working on...

Thanks!

Answer 1

Try using the canonical hostname URL Rewrite feature of the IIS 7.5 Url Rewrite 2 Module: Download

(This answer relies on both URL have hostheader entries for the same web application)

Answer 2

Does it need to be in the session or are you looking for a single signon solution. If the latter take a look at something along the lines of ADFS http://en.m.wikipedia.org/wiki/Active_Directory_Federation_Services?wasRedirected=true

Answer 3

You may want to start here instead of hacking into the ASPState database(possible, but I don't recommend it): http://www.codeproject.com/KB/session/sharedsession.aspx

Basically you set the AppDomain to be the same for both www.site1.com & www.site2.com using reflection.

You also may need to AppPath as well, we needed to, but our setup was slightly different than what you have. We added:

        FieldInfo appDomainInfo = typeof(HttpRuntime).GetField("_appDomainId", BindingFlags.Instance | BindingFlags.NonPublic);
        appDomainInfo.SetValue(theRuntime, "/LM/W3SVC/1/ROOT/A_Website_Name_Here");

Answer 4

The word 'session' can be a little confusing in ASP.NET.

If you are talking about security (authentication and authorization), you are probably looking for a Single Sign-On solution. In other words, when a user logs into one site they won't be prompted to log into another related site. Take a look at Windows Identity Foundation, OAuth, Jasig CAS. CAS is my preferred solution (I'm a developer on the .NET client), but the server is written in Java and you'll need some expertise with Java to get it configured the way you want.

In ASP.NET, Session state is a completely separate component from authentication and authorization (although it can depend on the result of the authentication step). If you are trying to share information between the 2 sites (i.e., shopping cart contents), you can either configure both domains to use the same database as a Session provider (google aspnet_regsql -ssadd) or you can just store the data in a database that is accessible by both.

For more info on why I emphasize the distinction, check this out: http://www.codeproject.com/KB/aspnet/ASPDOTNETPageLifecycle.aspx

Good luck.