Home/ Questions/Q 7915527
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T14:29:07+00:00

We have our production website in .net and a third party web app that

  • 0

We have our production website in .net and a third party web app that runs as a virtual application from the website. I have been tasked with maintaining the session time out between the website and the third party app. i.e. as long as the user is active on the third party app, the session stays alive so when they go back to the website even if it is after the 20 minute expiration, their session is still active. We’re using forms authentication in both the website and the app for session management and from what I’ve read I should be able to do this through settings in the web config. I have updated the authentication section of both webconfig files with

basically I am working with http://www.mydomain.com and http://www.mydomain.com/app/

    <authentication mode="Forms">
        <forms
           name=".ASPXFORMSAUTH"
           loginUrl="home.aspx"
           enableCrossAppRedirects="true"
           slidingExpiration="true"
           path="/"
           domain=".infinedi.net">
        </forms>

    </authentication>
    <machineKey
          validationKey="BDEA0BE471E4E2C24E5A9552AF232C3E7BF584DBEEAA1262CEE78CB5126FBBBE9E8007DB5ED8357FEE5C2C5B6FF3FC7D34C7CEA54DE3790560FCDEBF44415804"
          decryptionKey="2E31C984223964655C203E3A91AF139B1AE0A964F1475E204E6AACE62840EAB0"
          validation="SHA1"
          decryption="AES"
          />

but this didn’t do the trick. When watching with fiddler I can see that as soon as i go in to the third party app, I get a new .ASPXFORMSAUTH session which I suspect is why the website session times out. Is doing this through the webconfig even possible or is there a different direction I should be going?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think the problem you’re having is because ASP.NET assigns a new Session ID per application. Even if you have the same cookie name and encryption parameters, the internally generated session ID will be different. You might be able to get around this by manually detecting an existing session and updating the session ID. This used to be a common work around for flash-based file uploaders because Flash didn’t send the appropriate cookies so the upload handler on the server side couldn’t identify the user’s existing session.

    http://snipplr.com/view/15180/

    Using the example code at the above URL, the flash app would post to a URL containing the session ID in the query string, which the BeginRequest handler would detect and update the Request.Cookies collection. I haven’t tested this, but you may be able to modify the code a bit to detect the existing cookie from the parent app.

    As an alternative, see: Sharing sessions across applications using the ASP.NET Session State Service

    • 0