Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

session management

This is a kind of same situation like this one

Basically I have two different application under wwwroot and one is called secured and another is company. Pages in secured application will ensure the authentication of the user and we strore their userid and usertype in the session which can be accessed by any other application like /company(this was possible in classic asp). Now with, it looks like it is not possible. ie you can access session only within an application. I guess this is true even in the case of stateserver or Sqlserver mode.I am wondering how old asp applications(which extensively used session and accessed session variables across virtual directories) are getting migrated to any thoughts?

Wednesday, June 11, 2003

Initial thought: is it an intranet application? If so, use Windows Authentication instead: problem solved.

What else? -- I would veer away from implementing your authentication system using Session -- look into Forms Authentication.

Even so, not sure if FormsAuth solves your problem - although something to try is to have a look at having both apps use the same key for encrypting the FormsAuth cookie (in web.config /configuration/ system.web/ machineKey/ @decryptionKey); and when you call RedirectFromLoginPage() set the cookie path to "/"... I'm pessimistic though...

Otherwise, consider a Passport-style mechanism. The authentication application, when it has authenticated the user could encrypt (System.Security.Cryptography. SymmetricAlgorithm) a "ticket" containing the relevant user information and pass it to the target application in a query string variable via a redirect. If the target application then successfully decrypts the information ("trust" is enabled by having the apps share the encryption key) - you can store it where you like: use FormsAuth's RedirectFromLoginPage (my choice), or Session or whatever.


Duncan Smart
Wednesday, June 11, 2003

Thanks for your input.

We started using session as we need to pass more than one value(like userid, user type and their org number etc).
I can certainly try the passport kind of mechanism. Would appreciate if you can point out  any article available on this.

I am wondering still why MS pull out this feature in ASP.NET.In fact I tried changing the session mode to SQL server and still it did not solve our purpose..just curious!!


Friday, June 13, 2003

I doubt if MS considered sharing Session amongst applications a "feature."

Duncan Smart
Wednesday, June 18, 2003

*  Recent Topics

*  Fog Creek Home