Integrating two web applications using forms authentication

[Author #1]

I have a *website application* (app1), which uses forms authentication
with active directory and it works perfectly without any problem.

We have a *web application project* (app2), which doesn't use any
authentication.

Now we want to integrate them, such that they appear as if one system
to the end users.

I am not sure how I can have both systems be aware of the existence of
the other side. In other words, if after a user logs in, he works in
app2 for a long time and never touches app1, his session with app1
would have been expired. Now suppose he wants to navigate to app1,
what should I do? Should I redirect him to the login screen? But,
then he'd think, hey, what the heck? I am logged in already, why
asking me to login again? And vice versa.

I think it is very complicated issue.

The problem can be alleviated if I simply put app2 into a folder of
app1. But there is a big problem bcz app1 is in *website project*
mode, whereas app2 is in *web application project* mode. I searched a
little, looks like there is no easy way to convert a *website project*
to a *web application project*.

Any idea about the following?

1) how to seamlessly integrate the two app, and meanwhile let them be
aware of each other or

2) how to convert app1 to *web application project*? I don't want to
convert app2 to a *website application project*, because it is
maintained by another team.

 

[Gregory A. Beamer]

I have a *website application* (app1), which uses forms authentication
with active directory and it works perfectly without any problem.

We have a *web application project* (app2), which doesn't use any
authentication.

Now we want to integrate them, such that they appear as if one system
to the end users.

I am not sure how I can have both systems be aware of the existence of
the other side. In other words, if after a user logs in, he works in
app2 for a long time and never touches app1, his session with app1
would have been expired. Now suppose he wants to navigate to app1,
what should I do? Should I redirect him to the login screen? But,
then he'd think, hey, what the heck? I am logged in already, why
asking me to login again? And vice versa.

I think it is very complicated issue.

The problem can be alleviated if I simply put app2 into a folder of
app1. But there is a big problem bcz app1 is in *website project*
mode, whereas app2 is in *web application project* mode. I searched a
little, looks like there is no easy way to convert a *website project*
to a *web application project*.

Any idea about the following?

1) how to seamlessly integrate the two app, and meanwhile let them be
aware of each other or

2) how to convert app1 to *web application project*? I don't want to
convert app2 to a *website application project*, because it is
maintained by another team.

It is complex and possibly "impossible" (ie, not worth the effort),
depending on how you are using certain features.

Setting up two apps for single sign on can be done by setting the same
auth method and then setting up the same machine keys (esp with forms
auth where the cookie is encrypted) and the same app cookie name (in the
forms tag in web.config). Do not let the machine decide anything
relating to session.

I am not 100% sure of the restrictions, off hand, but we did it quite a
few years ago with two web apps on the same server. I am not sure if it
was domain name or machine that was the key, although I would assume
domain name, based on how cookies work.

The issue comes when you have a developer that heavily uses the session
object, as you can pass session values. You keep the same session ID,
but the values from one app do not transfer to the other.

If you must use session between apps, persist it somewhere that you can
reconstitute from in the other application.

Peace and Grace,

 

[Author #1]

(e-mail address removed):












It is complex and possibly "impossible" (ie, not worth the effort),
depending on how you are using certain features.

Setting up two apps for single sign on can be done by setting the same
auth method and then setting up the same machine keys (esp with forms
auth where the cookie is encrypted) and the same app cookie name (in the
forms tag in web.config). Do not let the machine decide anything
relating to session.

I am not 100% sure of the restrictions, off hand, but we did it quite a
few years ago with two web apps on the same server. I am not sure if it
was domain name or machine that was the key, although I would assume
domain name, based on how cookies work.

The issue comes when you have a developer that heavily uses the session
object, as you can pass session values. You keep the same session ID,
but the values from one app do not transfer to the other.

If you must use session between apps, persist it somewhere that you can
reconstitute from in the other application.

Peace and Grace,

I like to hear that, "possibly impossible", so I don't have to waste a
lot of time doing something extremely hard to achieve: seamlessly
integrate two completely different application using forms
authentication + active directory.

That said, putting app2 into a folder of app1 may be an easier
solution, *if* I bother to convert app1 to a web application project.
Correct?

 

[Gregory A. Beamer]

I like to hear that, "possibly impossible", so I don't have to waste a
lot of time doing something extremely hard to achieve: seamlessly
integrate two completely different application using forms
authentication + active directory.

That said, putting app2 into a folder of app1 may be an easier
solution, *if* I bother to convert app1 to a web application project.
Correct?

It all comes down to this question:

Do you have to share session items?

If no, you can make it a virtual root under the other one or a virtual
root separate from the other. Making it a folder will only work if you
can get rid of the second web.config file or at least tone it down to
authentication bits only.

The changes for single sign on, if you don't have to share session
items, is machine keys and making sure you have a cookie name on the
<form> tag.

If there is no session, you can, in theory, copy the bits from the non-
auth app to the auth app, in a folder, and redeploy. This solves it from
one direction. Simply leave up the app for those not needing the
authenticated bits.

This is all brainstorming and I hope it does not confuse you further.

Peace and Grace,

 

[Author #1]

It all comes down to this question:

Do you have to share session items?

If no, you can make it a virtual root under the other one or a virtual
root separate from the other. Making it a folder will only work if you
can get rid of the second web.config file or at least tone it down to
authentication bits only.

The changes for single sign on, if you don't have to share session
items, is machine keys and making sure you have a cookie name on the
<form> tag.

If there is no session, you can, in theory, copy the bits from the non-
auth app to the auth app, in a folder, and redeploy. This solves it from
one direction. Simply leave up the app for those not needing the
authenticated bits.

This is all brainstorming and I hope it does not confuse you further.

Peace and Grace,

No, app1 and app2 don't share sessions. Any pointer to articles that
describe the how-to by changing the machine keys? I tried typing
cookies after <form, but intellisense doesn't show anything close,
which makes me suspect that I am doing it in the wrong way.

 

[Gregory A. Beamer]

No, app1 and app2 don't share sessions. Any pointer to articles that
describe the how-to by changing the machine keys? I tried typing
cookies after <form, but intellisense doesn't show anything close,
which makes me suspect that I am doing it in the wrong way.

You can generate your machine keys here:
http://www.orcsweb.com/articles/aspnetmachinekey.aspx

As for cookie name, it is the name element in the forms tag. I often forget
that is not intuitive. ;-)

also make sure protection is set to the same value on both apps. I am not
100% this will blow things up, but you can end up with incompatible values.

peace and grace,

 

[Author #1]

You can generate your machine keys here:http://www.orcsweb.com/articles/aspnetmachinekey.aspx

As for cookie name, it is the name element in the forms tag. I often forget
that is not intuitive. ;-)

also make sure protection is set to the same value on both apps. I am not
100% this will blow things up, but you can end up with incompatible values.

peace and grace,

Cool. Will definitely try it out. Thank you.