Sharing Authentication between ASP.NET sites

Question

I have two ASP.NET sites (they can not run in the same process) and I need to share authentication between them. If a user is in site A already authenticated and then goes

Answer 1

Select one site to be the "master" which handles all the logins. We will call that one site A, and the non-login site B.

When a user uses the login form on A, it should set a cookie with some unique identifier, such as a GUID. As long as that cookie is valid, the user should stay logged in.

When a user goes to site B, site B should set a cookie with its own unique identifier (another GUID), then redirect to the login on site A, passing along the unique ID in the querystring: Response.Redirect("http://siteA.com/login.aspx?id=ABCDEF")

When the user logs in on the form on A, we should update site B's database - maybe via web service - with the user ID and the unique ID which was passed along - essentially letting site B know "when a user with ABCDEF in their cookie hits your site, it is actually User387".

Then redirect back to site B. The cookie from earlier is still set, but site B now reads that cookie and finds a corresponding user ID, so it knows who the user is and allows access.

When the user arrives on site A, if they have already logged in previously to site A, it will recognize their cookie, follow the same steps as above, and redirect immediately.

This is a very simple version of what every single-sign-on service does. A user will only be sent to A's login page once, no matter where they start from (site A or site B).