How to share authentication between multiple applications in ASP.NET

If you are looking for sharing an authentication across all your ASP.NET applications, then this is the article you should follow. At the end of the article you would be amazed with the approach and the behavior since it is as much as simple to implement.

The following approach which I am discussing here will work for between either ASP.NET MVC applications or ASP.NET web form applications or between ASP.NET MVC and web form applications.

This approach will work for only when your ASP.NET applications using Forms Authentication.

You can maintain the same authentication by sharing forms authentication ticket across all your application in the form of cookie.

I am giving step by step example practically between the two ASP.NET application, again doesn’t matter whether it a MVC app or Web form app.

Step I:

In web.config, add the below machine key under <system.web> in both the applications. Make sure machine key must be exactly same in both apps. The machine key is required to decrypt the forms authentication ticket.

First application machine key:

<machineKey validationKey="5533B5B116101E2620ED9F87A8DD3DB0456BC29031A62ED26251518DE620E7118A9943341AEDEA36E35C7E374553F2F93A0F43F1BE61FE4717246AF15C549737" decryptionKey="B68191FE6ACF945B33BB0D101DD892120B531C1B803FB0300D96F822ED7F19E2" validation="SHA1" decryption="AES" compatibilityMode="Framework20SP1" />

Second application machine key:

<machineKey validationKey="5533B5B116101E2620ED9F87A8DD3DB0456BC29031A62ED26251518DE620E7118A9943341AEDEA36E35C7E374553F2F93A0F43F1BE61FE4717246AF15C549737" decryptionKey="B68191FE6ACF945B33BB0D101DD892120B531C1B803FB0300D96F822ED7F19E2" validation="SHA1" decryption="AES" compatibilityMode="Framework20SP1" />

Step II:

In web.config, add the below forms authentication segment in both the applications. If you are running the applications on your local machine, then keep the domain name either empty or localhost else provide the IP address.

First application:

<authentication mode="Forms">

   <forms name=".ASPXAUTH" loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" domain="localhost" />

</authentication>

Second application:

<authentication mode="Forms">                 <forms name=".ASPXAUTH" loginUrl="LoginPage.aspx" timeout="30" slidingExpiration="true"   domain="localhost" />

</authentication>

Step III:

Use the below code when you are logging into application from both the apps. On successful login from first application redirect to second application. In the same way, when you are login to second application redirect to first application.

var oCookie = FormsAuthentication.GetAuthCookie(model.Username, false);

var ticket = FormsAuthentication.Decrypt(oCookie.Value);

FormsAuthenticationTicket oTicket = new FormsAuthenticationTicket(ticket.Version, txtUsername.Text, DateTime.Now, DateTime.Now.AddMinutes(60), true, “”);

string cookieStr = FormsAuthentication.Encrypt(oTicket);

               

oCookie.Value = cookieStr;

Response.Cookies.Add(oCookie);

Response.Redirect("http://localhost/secondApplication.aspx"); 

Once you done with above three steps, let’s go ahead and test it in the following way.

Access the first application and login. You would be redirected to second application and access the resources without login again.

Now close the browser, access the second application and login. You would be redirected to first application and access the resources without login.

Since the same authentication cookie is sharing between your applications, if you are logout from one application then you will be forcefully logged out from the other application too.

Hope this helps...! For any queries please use the below comment box.