asp.net mvc - How can I share .net (C#) based authenticated session between web forms and MVC2 applications?

Question

We have a small application we built in our spare time using the latest mvc3 and Entity Framework .net libraries available at the time, and deployed it. The management liked it, and they want it integrated into a heavy legacy .net 3.5 web forms application.

I need to somehow use the same authentication sessions across the two applications. I am using the same DB and Application for authentication using the .net membership and profile providers. This works fine, but users have to login separately into the MVC app even when they are already signed in for the main application. I am open to any suggestions: enabling state session at a different level, or shared cookies, etc

What is the best way to bypass this login requirement and whether I should integrate the mvc application into the webforms or keep it as an independent application? My main concerns affecting the decision would be time taken for complete integration, and later maintenance of the applications.

Answer 1

First, the fact one application is ASP.NET MVC does make no difference here :)

Second, here is one example of what to do from MSDN:

http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx

Small snippet from that page:

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        name=".ASPXFORMSAUTH" 
        protection="All"  
        path="/" 
        domain="contoso.com" 
        timeout="30" />
    </authentication>

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
    <machineKey
      validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" 
      decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" 
      validation="SHA1" />
  </system.web>
</configuration>

.

P.S.

StriplingWarrior's advice of merging both applications although not really required but may be very useful for future integrations. You may later end up doing it anyway.