Sharing login between different domain (again)

[=?iso-8859-1?q?Nils Hedstr=f6m]

Sorry about my last post. There seems to be a bug in my newsreader-software.

My company (companyA) has bought companyB.
The website of companyA is www.companyA.com and comanyB's website is www.comanyb.com


Management want users logged in on www.companya.com to be automatically logged

in on www.companyb.com (and vice versa).
I was thinking of using the same stateserver from www.companya.com and www.companyb.com.
The problem with that solution is that the sessionid-cookie is not shared
from www.companya.com to www.companyb.com
IE: if the sessionid-cookie is not shared the user gets different session-ids

on the different web-servers and the
login is not shared.
Should I rewrite the HttpSessionState module to provide custom cookies?
Is there another solution to this problem?

/Nisse, (e-mail address removed)

 

[Stefan Kiryazov]

I am thinking of <sessionState mode="SqlServer" ... >

If you provide the same connection string to both application won't
this do the trick? This is just a suggestion, I haven't tried it, but
you can, if you have Sql Server running somewhere.

And why you need to share the same SessionState, is there any reason
for this beside the commong login mechanism? Because this can be
achieved programatically in different ways - just use a common user
database.

 

[bruce barker]

the browser will not share cookies between your sites unlues you change the
sites to have a common domain root (www.companya.newdomain.com and
www.comapnyb.newdomain.com). if the users get from one site to the other
through links on the sites, you pass a sessionid thru the link
(querystring), but this won't work with saved links or favs.

-- bruce (sqlwork.com)


| Sorry about my last post. There seems to be a bug in my
newsreader-software.
|
| My company (companyA) has bought companyB.
| The website of companyA is www.companyA.com and comanyB's website is
www.comanyb.com
|
|
| Management want users logged in on www.companya.com to be automatically
logged
|
| in on www.companyb.com (and vice versa).
| I was thinking of using the same stateserver from www.companya.com and
www.companyb.com.
| The problem with that solution is that the sessionid-cookie is not shared
| from www.companya.com to www.companyb.com
| IE: if the sessionid-cookie is not shared the user gets different
session-ids
|
| on the different web-servers and the
| login is not shared.
| Should I rewrite the HttpSessionState module to provide custom cookies?
| Is there another solution to this problem?
|
| /Nisse, (e-mail address removed)
|
|

 

[Steven Cheng[MSFT]]

Hi Nisse,

I think bruce's suggestion is reasonable. As for sharing logging between
multi sites, the asp.net 's formsauthentication did support cross
application authentication, but this is based on the multi applicaiton are
under the same public domain. This is because such authentication token is
normally stored in cookie which is identify by two things: domainname and
path , if the two sites have different internet domainname, the cross
application approach nolonger work. Currently I think there haven't any
good means except we use some global login system such as passport.

In addition, as for sharing sessionstate, I'm afraid this is also limited
since different application will have unique identity interanlly so that
the asp.net runtime will isolate their sessionstate even if we're using
SQLServer Session mode and sharing the same server for mantain session.
Maybe a custom session mechanism such as the custom SessionModule you
mentioned is required if you do need such behavior.

Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[=?iso-8859-1?q?Nils Hedstr=f6m]

Hello bruce,

the browser will not share cookies between your sites unlues you
change the sites to have a common domain root
(www.companya.newdomain.com and www.comapnyb.newdomain.com).

Are you sure about this?
My tests indicate that the session-cookie has a host-value of the current
site. So the cookie is not shared (from companyb.companya.com to www.companya.com).
Unless I set a domain-value to the cookie ("companya.com") but it seems like
hard work to do this for session-cookies.

/Nisse <[email protected]>

 

[Steven Cheng[MSFT]]

Hi Nisse,

Yes, cookie is identify by domainname and path value. By default the
domainname is the current page's server domain. In addition to this,
different browsers may have different cookie stored-path in the
clientside's temporary folder which may also break the single-sign-on. So
cookie-based solution is not quite solid for SSO.

Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)