What is the best way to pass a user identity between serveral ASP.NET web sites?

[Stan]

We have several intranet ASP.NET web sites. Users log on to the sites by
using form authentication and custom security (user names and passwords are
stored in the database).

If a user logs on to the first site and from within this site is redirected
to another one, we would like to pass its security information along, so the
user doesn't need to log on again.

I am thinking of making a gateway page that will have two url parameters,
user id and the url of the next page:

gateway.aspx?userId=123&nextPageUrl="somePage.aspx"

Is this the only way to achieve that?

Thanks,

-Stan

 

[John Saunders]

We have several intranet ASP.NET web sites. Users log on to the sites by
using form authentication and custom security (user names and passwords are
stored in the database).

If a user logs on to the first site and from within this site is redirected
to another one, we would like to pass its security information along, so the
user doesn't need to log on again.

I am thinking of making a gateway page that will have two url parameters,
user id and the url of the next page:

gateway.aspx?userId=123&nextPageUrl="somePage.aspx"

Is this the only way to achieve that?

Stan,

You can continue using Forms Authentication on all the sites. Just use the
same cookie name for all sites, and a compatible domain name. For instance,
if your sites are http://a.b.company.com, http://b.b.company.com and
http://x.company.com, then you'll need to use "company.com" as the domain
for the cookie so that it will be sent to all three sites.

If the sites are on separate machines, you'll need to have the same
<machineKey> on all sites, either in the web.config of each site, or in the
machine.config of each machine.

Of course, this also means that if you use UserData on any site, that it
will have to be compatible with all of the other sites. For instance, if one
site puts a role list into UserData, you'll want all the sites to respect
that list, or at worst, to ignore it.

A common set of classes to implement this can be developed and then used on
each site. If you make the interface easy enough, you may not experience
much resistance in getting this implemented on all sites.

Good Luck,
John Saunders
Internet Engineer
(e-mail address removed)

 

[Jason \(MFT1\)]

Why not just use a database?

Stan,

You can continue using Forms Authentication on all the sites. Just use the
same cookie name for all sites, and a compatible domain name. For instance,
if your sites are http://a.b.company.com, http://b.b.company.com and
http://x.company.com, then you'll need to use "company.com" as the domain
for the cookie so that it will be sent to all three sites.

If the sites are on separate machines, you'll need to have the same
<machineKey> on all sites, either in the web.config of each site, or in the
machine.config of each machine.

Of course, this also means that if you use UserData on any site, that it
will have to be compatible with all of the other sites. For instance, if one
site puts a role list into UserData, you'll want all the sites to respect
that list, or at worst, to ignore it.

A common set of classes to implement this can be developed and then used on
each site. If you make the interface easy enough, you may not experience
much resistance in getting this implemented on all sites.

Good Luck,
John Saunders
Internet Engineer
(e-mail address removed)

 

[John Saunders]

Why not just use a database?

Use a database and ... what?

 

[Jason \(MFT1\)]

Sorry I thought it was self evident....Silly me.

Well you can save your user identity info to the database and access the
info from each web application.

Heck, it's not brain surgery man.


LOL

 

[John Saunders]

Sorry I thought it was self evident....Silly me.

Well you can save your user identity info to the database and access the
info from each web application.

I don't know if you're serious or not.

He's talking about passing the identity of a user who has logged in to one
application from one application to another. Regardless of where details are
stored, the identity has to be passed.

 

[John Saunders]

John,

Doesn't a session cookie expire when a user goes to another site? I don't
want to have a permanet cookie on disk....

No. Session cookies do not expire when you go to another site. Certainly not
another site within the same domain.