Is there a way to persist authentication from one web app to another, nested web app in ASP.NET?

Question

So my company has an ASP.NET web app, targeting .NET 3.5. I am tasked with building a ticketing system for them. I don't really need to use any resources of the company app, except for authentication. I would like to target .NET 4.0 and use the 4.0 goodies like entity framework and mvc 3.0. If I create an application targeting .net 4 nested within the main web app in IIS, is there a way to persist authentication so they do not require a different session within the 4.0 web app?

Please let me know if I am being unclear.

Thank you.

Answer 1

If you use membership authentication you can share sessions between different web applications provided the following is true:

1. All of them share the same machine key - you can set the machineKey explicitly in each web.config to the same value.

2. You are using the same authentication cookie name (ie .ASPXAUTH by default)

There might be other ways, but this is how I got it to work.

Also see this article for reference: Forms Authentication Across Applications

Answer 2

If the subfolder in the main IIS application is not an application itself, it will be loaded into the AppDomain of the parent IIS application, and this would ensure that session state is shared between the applications. If it is its own IIS application, it will have its own AppDomain and be a separate running application.

If it shares the same AppDomain as the parent IIS application, you have to be careful of where you deploy your binaries. If you do not add in a private bin path for assembly resolution, all assemblies must be located in the root /bin . But this has the additional risk of the main app looking for assemblies in your additional subfolder where it shouldn't be looking.