How can I share .net (C#) based authenticated session between web forms and MVC2 applications?

Question

We have a small application we built in our spare time using the latest mvc3 and Entity Framework .net libraries available at the time, and deployed it. The management liked

Answer 1

First, the fact one application is ASP.NET MVC does make no difference here :)

Second, here is one example of what to do from MSDN:

http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx

Small snippet from that page:

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        name=".ASPXFORMSAUTH" 
        protection="All"  
        path="/" 
        domain="contoso.com" 
        timeout="30" />
    </authentication>

    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
    <machineKey
      validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" 
      decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" 
      validation="SHA1" />
  </system.web>
</configuration>

.

P.S.

StriplingWarrior's advice of merging both applications although not really required but may be very useful for future integrations. You may later end up doing it anyway.

Answer 2

Store the session state in a database. Store the session key in the cookies of each sessions. At the AcquireSessionState event in the life cycle's of both applications, get the session id from the cookie, load the session data from the database and update your HttpContext.User. You will then have the same authentication data in both applications.

Answer 3

You may want to consider simply integrating this application into your Web Forms application directly. The two can coexist in the same application.

Answer 4

Forms authentication uses cookies to track users. Cookies can only be shared between the same domain. So for example if you had app1.foo.com and app2.foo.com simply configure those two applications to share the same domain cookie. For example both web.config should share the same forms authentication configuration:

<authentication mode="Forms">
  <forms 
      loginUrl="~/Account/LogOn" 
      timeout="2880" 
      domain="foo.com" 
  />
</authentication>

You also must ensure that both application share the same machine keys because an authentication cookie emitted by app1 needs to be decrypted by app2 with the same keys.