c# - How do you pass an authenticated session between app domains

Question

Lets say that you have websites www.xyz.com and www.abc.com.

Lets say that a user goes to www.abc.com and they get authenticated through the normal ASP .NET membership provider.

Then, from that site, they get sent to (redirection, linked, whatever works) site www.xyz.com, and the intent of site www.abc.com was to pass that user to the other site as the status of isAuthenticated, so that the site www.xyz.com does not ask for the credentials of said user again.

What would be needed for this to work? I have some constraints on this though, the user databases are completely separate, it is not internal to an organization, in all regards, it is like passing from stackoverflow.com to google as authenticated, it is that separate in nature. A link to a relevant article will suffice.

Answer 1

Try using FormAuthentication by setting the web.config authentication section like so:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" requireSSL="true" 
      protection="All" 
      enableCrossAppRedirects="true" />
</authentication>

Generate a machine key. Example: Easiest way to generate MachineKey – Tips and tricks: ASP.NET, IIS ...

When posting to the other application the authentication ticket is passed as a hidden field. While reading the post from the first app, the second app will read the encrypted ticket and authenticate the user. Here's an example of the page that passes that posts the field:

.aspx:

<form id="form1" runat="server">
  <div>
    <p><asp:Button ID="btnTransfer" runat="server" Text="Go" PostBackUrl="http://otherapp/" /></p>
    <input id="hdnStreetCred" runat="server" type="hidden" />
  </div>
</form>

code-behind:

protected void Page_Load(object sender, EventArgs e)
{
    FormsIdentity cIdentity = Page.User.Identity as FormsIdentity;
    if (cIdentity != null)
    {
        this.hdnStreetCred.ID = FormsAuthentication.FormsCookieName;
        this.hdnStreetCred.Value = FormsAuthentication.Encrypt(((FormsIdentity)User.Identity).Ticket);
    }
}

Also see the cross app form authentication section in Chapter 5 of this book from Wrox. It recommends answers like the ones above in addition to providing a homebrew SSO solution.