We have a current (legacy) PHP based website that is unlikely to be redeveloped for the next year or so, that acts as our main portal.
We would like to develop new applications in ASP.Net, and plug them into the current portal - but we do not want our website users to have to log in twice.
Whats the best way to share authentication state between the two platforms? They do not share the same server, database backend or even proxy.
I guess your best bet is a separate database or memory backed server to handle session state. Either you could use ASP.NET's built in SQL Server-based session state and add hook it up to PHP manually or use a custom solution.
Read this article from Microsoft on sharing session state between classic ASP and ASP.NET:
http://msdn.microsoft.com/en-us/library/aa479313.aspx
Conceptually, I think this is pretty similar to what you're trying to do, though I don't know just how helpful the above document will be to your specific case. Definitely worth a look though.
I needed to this a while back for a fairly large project. The languages were ASP.Net and ASP, but the method I ended up with would work just as well if it were PHP instead of ASP.
Can you abstract out the places your PHP application modifies session variables?
I found that even for large web applications, there were only a handful of places session variables were updated. For instance; Login, Logout, some sought of change group action, etc. For me, there were less than 6 scripts that needed to be modified.
For each script that modify session variables, add a server redirect to a new ASP.Net script. Hence the PHP script would do all it had to do and the final thing would be a PHP redirect ( mabye PHP Header("Location:...") call at the end.
Your receiving ASP.Net script updates the ASP.Net session variables in the same manner the PHP script update its session. Luckily in my case the original scripts did not output any data, but rather redirected to "success" pages.
i.e. The original scripts were the Controller code in a MVC design, and they redirected to the View code. This allowed me to neatly insert my ASP.Net scripts between the ASP controller and the view scripts. If your receiving script outputs data, then you will have to split that up into 2 pages.
That's it. In effect, doing this for Login, Logout, and a few pages effectively caused the two session scopes to stay in sync.