using a shared session

[masoud bayan]

Hi,



We have 3 different web applications on three different websites (and
domains). Now we want to make it possible for users to login in each of
these applications and can navigate to other applications without
authenticating. So generally we need to have a shared session across
applications (a single sign-on).

Whenever a user logins in each application a session identifier is created
and is saved in the cookie for that session.

1. Is there any chance to create cookies for other applications
(websites) at the same time (login time in one of the apps)? So when user
navigates to other sites, other server can read the session information from
cookie?

2. Is there any other approach that we can use to have single sign-on
capability through our sites?



Any advice is appreciated.



Thanks

Masoud

 

[Kevin Spencer]

Hi masoud,

As you're talking about multiple apps, you're definitely NOT talking about
Session. What you're describing falls more accurately into the realm of
"messaging." You need to send a message from one app to the other to
indicate that the user is logged into the first app, and who the user is
logged in as. You may create a new Session for the second app after you have
received this information, but you can not share Sessions across apps.

In the realm of messaging, you have several alternatives. One is to pass
data via QueryString, but that isn't secure. An alternative is to use a
database, into which the first app puts the data, and the second app reads
it. The first app could post a form to the second, and pass the data in that
way. Of course, unless the data is encrypted, it is not much more secure
than using a Query String. Another alternative is to use a Web Service to
pass the data. For example, you could create a Web Service Method on app 2
that takes several parameters of data about a user, and registers that user
somehow with the app. App 1 would make a Web Service call to the Method,
passing in the user data, and then redirect to the appropriate page in app
2. You would have to use encryption here as well.

You could also use Windows Messaging Services, but that is queued, and you
need to be sure that the data has arrived by the time you redirect.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

 

[bruce barker]

you will need to do a ticket system. you can link because a cookie can not
be shared between domains, you will have to pass the ticket to site. this
means you can link between sites without requiring a new login, but if the
users hit the site directly, they will be prompted for a login.

you can use a common webservice (like ms passport) to handle the comon login
verfication and ticket.

-- bruce (sqlwork.com)



| Hi,
|
|
|
| We have 3 different web applications on three different websites (and
| domains). Now we want to make it possible for users to login in each of
| these applications and can navigate to other applications without
| authenticating. So generally we need to have a shared session across
| applications (a single sign-on).
|
| Whenever a user logins in each application a session identifier is created
| and is saved in the cookie for that session.
|
| 1. Is there any chance to create cookies for other applications
| (websites) at the same time (login time in one of the apps)? So when user
| navigates to other sites, other server can read the session information
from
| cookie?
|
| 2. Is there any other approach that we can use to have single sign-on
| capability through our sites?
|
|
|
| Any advice is appreciated.
|
|
|
| Thanks
|
| Masoud
|
|
|
|
|
|
|
|

 

[masoud bayan]

Thank you.

Masoud