Wednesday, September 6, 2006

Using Single Sign On in Multiple Applications Sharing Same Domain

Using Forms Authentication

Forms Authentication should be used for Single sign on into Multiple Applications.

<authentication mode="Forms">
<forms name=".Website" loginUrl="login.aspx" protection="All" timeout="30" path="/"/>

where ".Website" is the name of the Cookie used to store user credentials for form authentication

Modifying the Machine Key

machineKey element might be configured in the machine.config file or on
every web.config application file sharing the Same Cookie. By Default
the encryption key to encrypt cookie data is set to something like this
in the machine.config file:

decryptionKey= "AutoGenerate,IsolateApps"

The "IsolateApps" means that a different key will be AutoGenerated for each
application. This setting can be overridden by writing the following
code in the Application's Web.config file:



decryptionKey= "8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"

The Machine key should be the same for all the applications sharing the same cookie (Using SSO).

Creating Domain Level Cookie to share same information between Applications

Here, we are using two domains: and

cookies will be stored in different files and will not be accessible to
both applications. In order to make it work, we will need to create
domain-level cookies that are visible to all sub-domains:

fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1,
Login1.UserName, DateTime.Now, DateTime.Now.AddYears(1), False, "")
Dim cookie As HttpCookie = New HttpCookie(".Web20Tools")
cookie.Value = FormsAuthentication.Encrypt(fat)
cookie.Expires = fat.Expiration
cookie.Domain = ""

"cookie.Domain" specifies the name of the domain by which the cookie
would be created. Hence if the Windows user has logged in with the
account name as "Admin", the cookie would be created by the name:

Data Of Expiry is exactly one year after the date of creation. The
ticket name would be the same as the user name. So this can be
decrypted on the other applications page Load when the request is
redirected to another application.

The cookie is encrypted and
then added to the response stream. This cookie can now be shared by any
application sharing the same subdomain name

Note: For Domain
wide authentication scenarios, you can set domain-wide cookie only for
second level domain, or for third level domain if second level domain
contains three or less characters. It means that you cannot set cookie
for domain "com" or "", but can for "" or

Simulation of the Live Site

Now to simulate the setup of the live sites, we need to add entries into the Hosts file, which is present at:

The entries would be as follows:

would help emulate the site on local server so that the cookies can be
shared. The applications can be accessed after creating their virtual

Now to check whether the cookie has been created or not, the cookie created can be found at:
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\

where "Default user" will be the name of the user who has logged in.

alternative method to check the cookie creation is to go to the
Internet Explorer's Tools Menu -> Internet Options -> Click on
Privacy Tab -> Click Advanced Button .
select "Override Automatic
Cookie Handling" and then select the radio buttons for "First Party
Cookies" and "Third Party Cookies" as "Prompt".

Doing this will enable prompting before cookie creation where the cookie name and the date of expiry can be tracked.

Logging Out of the Application

Logging out of the application, the Expiration date of the Cookie
should be set to a past date for the cookie to get deleted. The cookie
should be fetched first using the httpcontext class and then the expiry
date should be changed.

Dim httpWebcookie As HttpCookie
httpWebcookie = Request.Cookies(".Website")
httpWebcookie.Domain = ""
httpWebcookie.Expires = DateTime.Now.AddYears(-3)