Multiple applications running under single website - Forms authentication signin/signout issues
Question
I have several applications running under a single website in IIS7.
There are several pages within the website, but these are all pretty standard HTML pages, with not a lot going on.
The main website has its own application pool and each sub application has its own folder and associated application pool.
I use forms authentication and my own custom login system which uses an SQL database to store the credentials.
Each sub application has its own login page but they share the same credentials and database, which from what i understand is the best way as a user can access up to 4 of these application and a single username/password is most practical.
The issue I have is that when you sign in to one application, and then proceed to sign in to another, you are signed out of the first one. This is before any of the processes are shutdown or timed out etc.
What do I need to do to keep a user logged into multiple applications? But bear in mind that they may not have access to them all so they cannot share a single machine key or authenticaion cookie as I have read is possible.
Any help would be greatly appreciated as up to now I have simply used my own session based authentication which checks if they are logged in and I would like to move to the more up to date method of forms authentication.
2 answers
solution1
0 2011-06-01 16:22:35
Make sure you have multiple applications configured in the database. Otherwise, an attempt to authenticate for one page will renew the auth cookie and invalidate the old one - which leads to the described behaviour of logging out from all other apps. The application name is set in the web.config file for an application:
...
<membership defaultProvider="SqlProvider">
<providers>
<clear/>
<add connectionStringName="Connect" applicationName="myFirstApp" ...
....
For the multiple apps approach, you most probable will have to duplicate the users for every application as well. Since your users dont automatically are allowed to authenticate for all apps, I think this is ok though.
Another approach would be to use the same login procedure for all apps - hence share the auth cookie across the apps. Something, you seem to trying to prevent. If the duplicate users disturb you, I guess, you will have to write your own custom membership provider.
solution2
0 ACCPTED 2011-06-01 16:38:14
From comments:
i simply check there credentials and then set the FormsAuthentication.SetAuthCookie for the username to true.
This is what logs the user out of the other applications. You are effectively clobbering the authentication cookie used by the other applications. You may be able to get around this problem by ensuring that each application uses the same validation key, hash algorithm, decryption key and decryption algorithm by setting the following in the web config of each application:
<machineKey
validationKey="..."
validation="SHA1"
decryptionKey="..."
decryption="AES" />
This should enable each site to use the same authentication cookie.
An alternate solution would be to ensure that each application uses a different cookie by setting the following:
<authentication mode="Forms">
<forms loginUrl="..."
protection="All"
name=".MyAppName"/>
</authentication>
In this scenario, you would set MyAppName to something different for each application. Users would still be able to use the same credentials across all applications but they will have to log into each application separately.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.