Home/ Questions/Q 8102741
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T23:19:19+00:00

Quick question (and sorry if it’s already been asked, I have looked but couldn’t

  • 0

Quick question (and sorry if it’s already been asked, I have looked but couldn’t find it).

I have a webforms app which has a page that contains an iframe and serves up an MVC page.

I need to do the login authentication within the web app and to check in the MVC app that we are authenticated (I’m sure there are better ways, but sadly this is how it already is, it’s not my job to change it).

I know of various fudges to make this work, but is there a nice/correct way to achieve this?

thanks in advance

Daz

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Assuming that the WebForms and MVC apps are in separate solutions, but deployed to the same server,

    1. Make sure that your authentication mechanism is using FormsAuthentication.

    2. Place both the WebForms and MVC app on the same domain, i.e. example.com

    3. Edit the Web.config of both the apps and set <system.web><machineKey> to the same value. You can generate machine key via http://www.insitesystems.com/services/machine-key-generator.html

      — OR —

      leave out the machineKey of both the web.config to inherit from the parent web.config or machine.config on the server. (never tested this)

    4. Use the same <membership> and <authentication> settings. Having same membership settings allows you to sign in from both the apps, since users’ passwords are store in the same database. Having same authentication settings ensures that the same authentication cookies get submitted no matter whether it is sent to WebForms or MVC

    5. Add the following to your MVC controllers to output P3P header to force IE to accept cookies inside the IFRAME. Please customize the value, as your privacy policy is very likely different from mine. See http://www.p3pwriter.com/LRN_111.asp for details. (Alternatively, put it inside a base Controller class and inherit it from all your controllers.)

      protected override void OnActionExecuted(ActionExecutedContext filterContext)
{
    filterContext.HttpContext.Response.AddHeader("P3P", @"CP=""CAO PSD OUR CUR""");
    base.OnActionExecuted(filterContext);
}

    Edit

    On 2nd thought, step 5 is not needed, since both the main document and iframe comes from the same domain. The cookies thus should be considered first party, rather than 3rd party (which gets blocked by IE).

    • 0