How can I maintain .aspxauth session cookie between website and virtual app?

StackOverflow https://stackoverflow.com/questions/10523474

Pergunta

We have our production website in .net and a third party web app that runs as a virtual application from the website. I have been tasked with maintaining the session time out between the website and the third party app. i.e. as long as the user is active on the third party app, the session stays alive so when they go back to the website even if it is after the 20 minute expiration, their session is still active. We're using forms authentication in both the website and the app for session management and from what I've read I should be able to do this through settings in the web config. I have updated the authentication section of both webconfig files with

basically I am working with www.mydomain.com and www.mydomain.com/app/

    <authentication mode="Forms">
        <forms
           name=".ASPXFORMSAUTH"
           loginUrl="home.aspx"
           enableCrossAppRedirects="true"
           slidingExpiration="true"
           path="/"
           domain=".infinedi.net">
        </forms>

    </authentication>
    <machineKey
          validationKey="BDEA0BE471E4E2C24E5A9552AF232C3E7BF584DBEEAA1262CEE78CB5126FBBBE9E8007DB5ED8357FEE5C2C5B6FF3FC7D34C7CEA54DE3790560FCDEBF44415804"
          decryptionKey="2E31C984223964655C203E3A91AF139B1AE0A964F1475E204E6AACE62840EAB0"
          validation="SHA1"
          decryption="AES"
          />

but this didn't do the trick. When watching with fiddler I can see that as soon as i go in to the third party app, I get a new .ASPXFORMSAUTH session which I suspect is why the website session times out. Is doing this through the webconfig even possible or is there a different direction I should be going?

Foi útil?

Solução

I think the problem you're having is because ASP.NET assigns a new Session ID per application. Even if you have the same cookie name and encryption parameters, the internally generated session ID will be different. You might be able to get around this by manually detecting an existing session and updating the session ID. This used to be a common work around for flash-based file uploaders because Flash didn't send the appropriate cookies so the upload handler on the server side couldn't identify the user's existing session.

http://snipplr.com/view/15180/

Using the example code at the above URL, the flash app would post to a URL containing the session ID in the query string, which the BeginRequest handler would detect and update the Request.Cookies collection. I haven't tested this, but you may be able to modify the code a bit to detect the existing cookie from the parent app.

As an alternative, see: Sharing sessions across applications using the ASP.NET Session State Service

Outras dicas

Wasn't able to get this to work so resorted to using an iframe. ugly solution that I'll have to revisit later.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top