6.10. Passing Tickets Across Applications

Another title for this section could be "how to roll a poor man's single sign-on (SSO) solution." In ASP.NET 2.0 and ASP.NET 3.5, forms authentication includes the ability to pass forms authentication tickets across applications. Although prior to 2.0 you could create a custom solution that passed the forms authentication ticket around as a string, you had to write extra code to handle hopping the ticket across applications.

ASP.NET 2.0 and ASP.NET 3.5 support setting the domain value of the forms authentication cookie from inside of configuration. ASP.NET 2.0 and ASP.NET 3.5 also add explicit support built into the APIs and the FormsAuthenticationModule for handling tickets that are passed using either query-strings or form posts. As long as you follow the basic conventions expected by forms authentication, the work of converting information sent in these alternative locations into a viable forms authentication ticket is automatically done by ASP.NET.

6.10.1. Cookie Domain

The ASP.NET 2.0 and ASP.NET 3.5 forms authentication configuration section includes a domain attribute. By default, this attribute is set to the empty string, which means that cookies issued by forms authentication APIs will use the default value of the Domain property for a System.Web.HttpCookie. As a result, the Domain property of the cookie will be set to the full DNS address for the issuing website. For example, if a page is located at http://bhaidar-PC/login.aspx ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.