redirect to another URL issue in ASP.Net

Question

I have two web applications and sometimes I need user to jump from one application to another. Since they are two web applications and may reside on different domains/machines, I can not share session between them.

The technical challenge for me is how to pass session information (I only need to pass userID string information in the session) from one source application to another destination application -- so that the user feels Single Sign On and personal information is displayed for him/her in both application (as the userID is passed to the destination application, no re-login is needed).

My current solution is generate all URL strings in both application and append them with user ID after user logins successfully, like http://www.anotherapplication.com/somepage?userID=someuserID, the userID value is retrieved from session. But I think my solution is stupid and I want to find some way to automatically append the query string ?userID=someuserID when the user jumps to another URL in another application -- so that I just need to generate the common unified URL http://www.anotherapplication.com/somepage in both application.

Is there a solution to automatically append the userID query string?

thanks in advance, George

Answer 1

I do not think it is a good idea to have the user id in query string.

A better idea would be to implement a single-sign on solution. In your scenario, you could do the following:

• Whenever one of your applications receive an unauthenticated request, redirect the user back to the other application to a special single-sign-on url.
• This page checks whether the user is logged in, and if so, redirects back with an authentication token in querystring.
• This token is checked by the un-authenticated application; and if it passes, you can login the user.

Of course, this seems like "a lot" of redirecting, but it should be reliable, and it only happens once, and then your user will be authenticated on both applications.

Obviously you would need to implement a security scheme so that you can check that the authentication token you get passed is really valid and originating from your other application. You could do this with a challenge-response algorithm; which could be:

• Both applications should know a common key.
• First application sends some random data (the "challenge") to the second application.
• The second application includes a hash-value of the random data + it's answer + the secret key in its response.
• Now the first application can check that the second application knew the secret key by calculating the same hash-value.

Have a look at: http://en.wikipedia.org/wiki/Challenge-response_authentication

EDIT:

With regards to session state, see http://msdn.microsoft.com/en-us/library/ms178581.aspx for an overview. It is possible to share session state between the applications, but I would not recommend it in general. If your application resides on different domains (URLs) you would have to use cookieless session state; which is not safe. If you decide to go this way, you would either have to use State server or SQL Server for session persistence, depending on your setup.

Answer 2

Rather than doing it via the Querystring, it might be more maintainable in the long run if you use create a FormsAuthenticationTicket with the required values.

I especially recommend reading Michael Morozov's excellent article on the subject of SSO (Single sign ons).

Answer 3

You can persist the session using something else than InProc (which is short for in process). If you persist the session using a SQL Server backend you'll be able to retrive the session cross domain/machine if they are setup to use the same SQL Server backend for session storage. This is configurable in ASP.NET and support out-of-the-box. I suggest you look it up.