I am trying to fix an ASP.NET site that a friend had botched converting from older technologies. To the user, the site appears to have public and secured sections. Behind the scenes, the public and private sites are separate web applications with separate app pools. The difficulty arises because it appears that the applications share the same session IDs (when going from the public to the secured pages, the session ID remains the same), yet none of the (InProc) session variables are getting passed from the public site to the private one.
Basically, the workflow consists of the user checking a checkbox (“I agree” type of stuff) on the public site (let’s call that page http://www.boring.gov/iAgree.aspx), then logging in on the secured site (let’s call that page https://www.boring.gov/login.aspx). The commandments from the parent agency in DC are that the user may not bookmark the login page, the user has to click “I agree” every time they log in, and that the “I agree” stuff has to be on a separate page.
What am I missing?
How would you do it?
Notes:
1 – This is getting hosted on a single Windows 2003 server.
2 – Yes, it is a government agency.
3 – I would have done things very differently if I was doing the conversion, but I wasn’t brought in until the poop hit the fan, and it is too late to redo things.
4 – Two previous SO threads that appear to be related, yet don’t apply are this and that
You need to use a machine key in your web config file and hits needs to be the same in both your applications. When a request is made for session info this machine key will cause it to fetch the same data. We use this in a load balancing scenario where the application needs to be getting the same session info regardless of which server is responding to the user request.
A typical key might look like this.
Check out this for more info.