Single Sign On (SSO) using Cookie in .Net

There are various ways to use Single Sign-On (SSO) in asp.net web application. We can use cookies, session (state server), SAML and web services etc. Now we would like to give a brief overview of how to use a cookie to implement Single Sign-on(SSO) in asp.net web application.

Assume that we have two web application hosted on the different virtual directory but under the same domain. As for example, our root domain is:

http://test.com

Other two virtual directory hosted under this domain are:

http://test.com/cookiesite1
http://test.com/cookiesite2

If we login to cookiesite1 then it writes the login information in the cookie and now opens another tab or a new window in the same browser. When you open the other link, it checks the login information from the cookie. If desired value found in a cookie then you logged in automatically. Remember you need to enable cookie in your browser for all of these activities. 

Here are the changes to be done:

WEB CONFIG

We need to configure out web config file first. Both the web config files should contain same machine validation key, decryption key and validation. Something like this:

<machineKeyvalidationKey=”282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760A
DF21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141″
decryptionKey=”8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099″
validation=”SHA1″ />

IIS

In IIS->Directory security tab add the “ASPNET Machine Account” user and set the full rights. 

CODE

After successful login in both projects:

if (login_Successful)
{
    //Create a new cookie, passing the name into the constructor
    HttpCookie cookie = new HttpCookie(“strCookieName”);
    //Set the cookies value
    cookie.Value =”set_cookie_value”;
    //Set the cookie to expire in 5 minute
    DateTime dtNow = DateTime.Now;
    TimeSpan tsMinute = new TimeSpan(0, 0, 5, 0);
    cookie.Expires = dtNow + tsMinute;
    //Add the cookie
    Response.Cookies.Add(cookie);
    Response.Write(“Cookie written. “);
}

on page load before login page do this:

protected void Page_Load(object sender, EventArgs e)
{
    //Grab the cookie
    HttpCookie cookie = Request.Cookies[“strCookieName”];
    //Check to make sure the cookie exists
    if (cookie != null)
    {
        ReadCookie();
    }
    else
    {
        lblCookie.Text = “Cookie not found. “;
    }
}

protected void ReadCookie()
{
    //Get the cookie name the user entered
    //Grab the cookie
    HttpCookie cookie = Request.Cookies[“strCookieName”];
    //Check to make sure the cookie exists
    if (cookie == null)
    {
        lblCookie.Text = “Cookie not found. “;
    }
    else
    {
        //Write the cookie value
        String strCookieValue = cookie.Value.ToString();
        lblCookie.Text = “The cookie contains: ” + strCookieValue + “”;
    }
}

Now test the application either on local web server or any domain, SSO should work using Cookie.

Thanks for dropping by !!! Feel free to comment to this post or you can drop me an email at naik899@gmail.com