Using Single Sign On in Multiple Applications Sharing Same Domain RRS feed

  • Question

  • User1186245786 posted

    Using Forms Authentication

    Forms Authentication should be used for Single sign on into Multiple Applications.

    <authentication mode="Forms">
            <forms name=".Website" loginUrl="login.aspx" protection="All" timeout="30" path="/"/>

    where ".Website" is the name of the Cookie used to store user credentials for form authentication

    Modifying the Machine Key

    The machineKey element might be configured in the machine.config file or on every web.config application file sharing the Same Cookie. By Default the encryption key to encrypt cookie data is set to something like this in the machine.config file:

    decryptionKey= "AutoGenerate,IsolateApps"

    The "IsolateApps" means that a different key will be AutoGenerated for each application. This setting can be overridden by writing the following code in the Application's Web.config file:

        validationKey= "C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
        decryptionKey= "8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"

    The Machine key should be the same for all the applications sharing the same cookie (Using SSO).

    Creating Domain Level Cookie to share same information between Applications

    Here, we are using two domains:
    http://secure.website.net and

    The cookies will be stored in different files and will not be accessible to both applications. In order to make it work, we will need to create domain-level cookies that are visible to all sub-domains:

    Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddYears(1), False, "")
            Dim cookie As HttpCookie = New HttpCookie(".Web20Tools")
            cookie.Value = FormsAuthentication.Encrypt(fat)
            cookie.Expires = fat.Expiration
            cookie.Domain = ".website.net"

    Here, "cookie.Domain" specifies the name of the domain by which the cookie would be created. Hence if the Windows user has logged in with the account name as "Admin", the cookie would be created by the name:

    The Data Of Expiry is exactly one year after the date of creation. The ticket name would be the same as the user name. So this can be decrypted on the other applications page Load when the request is redirected to another application.

    The cookie is encrypted and then added to the response stream. This cookie can now be shared by any application sharing the same subdomain name

    Note: For Domain wide authentication scenarios, you can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.in", but can for "example.com" or "example.co.in".

    Simulation of the Live Site

    Now to simulate the setup of the live sites, we need to add entries into the Hosts file, which is present at:
    C:/WINDOWS/SYSTEM32/DRIVERS/ETC        (Windows XP)
    C:/WINNT/SYSTEM32/DRIVERS/ETC        (Windows 2000, NT)

    The entries would be as follows: www.website.net secure.website.net

    This would help emulate the site on local server so that the cookies can be shared. The applications can be accessed after creating their virtual directories:


    Now to check whether the cookie has been created or not, the cookie created can be found at:
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\

    where "Default user" will be the name of the user who has logged in.

    An alternative method to check the cookie creation is to go to the Internet Explorer's Tools Menu -> Internet Options -> Click on Privacy Tab -> Click Advanced Button .
    select "Override Automatic Cookie Handling" and then select the radio buttons for "First Party Cookies" and "Third Party Cookies" as "Prompt".

    Doing this will enable prompting before cookie creation where the cookie name and the date of expiry can be tracked.

    Logging Out of the Application

    While Logging out of the application, the Expiration date of the Cookie should be set to a past date for the cookie to get deleted. The cookie should be fetched first using the httpcontext class and then the expiry date should be changed.

    Dim httpWebcookie As HttpCookie
            httpWebcookie = Request.Cookies(".Website")
            httpWebcookie.Domain = ".website.net"
            httpWebcookie.Expires = DateTime.Now.AddYears(-3)


    Hope that this Article proves to be Useful for you guys.


    Usman Suglatwala.



    Wednesday, September 6, 2006 6:08 AM

All replies

  • User-392871504 posted


       Thanks for your artcle. There some some more information abt single sign on http://chiragrdarji.wordpress.com

      Hope you like it.


    Thursday, April 5, 2007 7:10 AM
  • User414569837 posted

    Thanks for the nice article . I have these questions

    1) Will this work if the two sites are on different boxes?

    2) Will it work behind a NLB ?

    Thanks ,


    Thursday, September 11, 2008 4:17 AM
  • User-490333497 posted

    Thanks for such a nice information.


    Yogesh Chandra Upreti


    Monday, June 14, 2010 3:52 AM