Sharing authentication between 3 websites

Question

I have a main website, with 2 sub-sites. I want to create a simple way to authenticate on a website such that I can view the other 2 sub-sites.

THe websites are setupa as follows:

www.example.com/
www.example.com/subsite1
www.example.com/subsite2

As a further requirement, subsite1 and subsite2 may be re-used on a different website.

Could I use the built in Authentication module in ASP.NET for this? Or do I have to create my own custom cookie?

Answer 1

No need to complicate creating a module for this.

Its subsites will share the cookies, since cookies are created according to the domain and not in accordance with sub domains.

And I see no problem to have to make a different authentication, since it would only manage differently authentication cookies for each subsite.

Read this article (Apply the settings of the framework version you're using.)

On web.config, in <authentication> section, at <form> tag, apply the same name for your applications, I think that's is the principal.

Answer 2

It depends on how much this "further requirement" of reusing is important in the single sign-on context.

The short answer is: if websites are on the same domain, cookies are sent by browsers to each of sites and forms authentication is automatically reused. If websites are on different domains, you need to implement one of existing protocols of single sign-on.

My personal opinion is that the latter pays off sooner or later.

Answer 3

Yes, since the 3 sites are on the same domain, you could share the forms authentication cookie between the 3 applications. This could be achieved by setting the domain property on the 3 applications:

<forms domain="www.example.com" ...>

Also for this to work you should share the same machine keys between the 3 applications. Please take a look at the following article on MSDN which goes into further details.