I have a web farm that uses a state server for session management.
A user logs on to a website (www1.mysite.com).
When the same user visits www2.mysite.com I want the user to be logged in.
Right now it he is not logged in on www2.mysite.com (both sites use the same
state server).
The reason for this seems to be that the user gets a new SessionId when he
visits a new web server (www2.mysite.com for example).
If there was a way to add a domain='.mysite.com' to the session-cookie the
user would use the SessionId from www1.mysite.com on www2.mysite.com and
share session information (be logged in)..
What is the best way to accomplish this?
Does the solution work with every browsers and firewalls?
/Nils HedstrmOne way to do it:
The first server authenticates the user and passes a token to the
browser e.g. a guid in a hidden form field.
The first server passes this token to the second server (e.g. through a
shared database).
The second server receives the token from the browser and checks to see
if it exists in the database, associates that with the user and
authenticates the user (setting it's own session cookie) and removes
the guid from the database.
Google for "single sign-on" (and msdn/security has lots of info - some
of their web security webcasts describe this method).
Chris.
http://blog.cecatech.co.uk/chrisb
One way which we have acheived the above (in our case 2 web applications
inside same url) is by making some minor changes to the SQL procedures in
ASP session state database.
This may not be an acceptable solution if you are co hosting other websites
which are using session state in database...
Raj
"Nils Hedstrm" <Nisse@.online.nospam> wrote in message
news:abd22c7154a638c83e78515c83ba@.msnews
.microsoft.com...
>I have a web farm that uses a state server for session management.
> A user logs on to a website (www1.mysite.com).
> When the same user visits www2.mysite.com I want the user to be logged in.
> Right now it he is not logged in on www2.mysite.com (both sites use the
> same state server).
> The reason for this seems to be that the user gets a new SessionId when he
> visits a new web server (www2.mysite.com for example).
> If there was a way to add a domain='.mysite.com' to the session-cookie the
> user would use the SessionId from www1.mysite.com on www2.mysite.com and
> share session information (be logged in)..
> What is the best way to accomplish this?
> Does the solution work with every browsers and firewalls?
> /Nils Hedstrm
>
If you can spend some money, a really nice performance
alternative that will definitely support this (I do just
what you are talking about across sites and across
a web farm) is scaleout stateserver
http://www.eggheadcafe.com/articles/scaleout_server.asp
Robbe Morris - 2004-2006 Microsoft MVP C#
Earn money answering .NET questions
http://www.eggheadcafe.com/forums/merit.asp
"Nils Hedstrm" <Nisse@.online.nospam> wrote in message
news:abd22c7154a638c83e78515c83ba@.msnews
.microsoft.com...
>I have a web farm that uses a state server for session management.
> A user logs on to a website (www1.mysite.com).
> When the same user visits www2.mysite.com I want the user to be logged in.
> Right now it he is not logged in on www2.mysite.com (both sites use the
> same state server).
> The reason for this seems to be that the user gets a new SessionId when he
> visits a new web server (www2.mysite.com for example).
> If there was a way to add a domain='.mysite.com' to the session-cookie the
> user would use the SessionId from www1.mysite.com on www2.mysite.com and
> share session information (be logged in)..
> What is the best way to accomplish this?
> Does the solution work with every browsers and firewalls?
> /Nils Hedstrm
>
We are only hosting our own application.
The problem is that the client is given a new session id for every host.
That way there is no way the session data (including login information) can
be shared between hosts.
The only solution I see is adding a domain to the session-cooke (.mysite.com
).
That way the client will use the same session id on all hosts in my domain.
/nisse
Hello Rajesh,
> One way which we have acheived the above (in our case 2 web
> applications inside same url) is by making some minor changes to the
> SQL procedures in ASP session state database.
> This may not be an acceptable solution if you are co hosting other
> websites which are using session state in database...
> Raj
> "Nils Hedstrm" <Nisse@.online.nospam> wrote in message
> news:abd22c7154a638c83e78515c83ba@.msnews
.microsoft.com...
>
We are evaluating scaleout stateserver right now but it does not solve this
problem.
If the session-cookie is specific to a webserver (www1.mysite.com) he will
get a new session-cookie when he visits www2.mysite.com
The session-cookie must be domain-wide (by adding a domain- to the cookie).
/nisse
Hello Robbe Morris [C# MVP],
> If you can spend some money, a really nice performance
> alternative that will definitely support this (I do just
> what you are talking about across sites and across
> a web farm) is scaleout stateserver
> http://www.eggheadcafe.com/articles/scaleout_server.asp
> "Nils Hedstrm" <Nisse@.online.nospam> wrote in message
> news:abd22c7154a638c83e78515c83ba@.msnews
.microsoft.com...
>
Read my article more closely. The sample demonstrates
how to use scaleout's capability for sharing session
across different domains and different servers.
Robbe Morris - 2004-2006 Microsoft MVP C#
Earn money answering .NET questions
http://www.eggheadcafe.com/forums/merit.asp
"Nils Hedstrm" <Nisse@.online.nospam> wrote in message
news:abd22c7154d8e8c83fecff0de2eb@.msnews
.microsoft.com...
> We are evaluating scaleout stateserver right now but it does not solve
> this problem.
> If the session-cookie is specific to a webserver (www1.mysite.com) he will
> get a new session-cookie when he visits www2.mysite.com
> The session-cookie must be domain-wide (by adding a domain- to the
> cookie).
> /nisse
> Hello Robbe Morris [C# MVP],
>
>
Your code does not use the session id when fetching the data.
It will never work in a production environment.
I would prefer if the solution is "seamless"=you access the session in the
same way as you normally would.
/nisse
Hello Robbe Morris [C# MVP],
> Read my article more closely. The sample demonstrates how to use
> scaleout's capability for sharing session across different domains and
> different servers.
> "Nils Hedstrm" <Nisse@.online.nospam> wrote in message
> news:abd22c7154d8e8c83fecff0de2eb@.msnews
.microsoft.com...
>
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment