1 login for 2 separate secure apps on the same server - is this possible?

[Todd]

I have two secure applications that reside on the same server. I am
still learning .Net as I go, so I could use some help. I want to be
able to login to the first application, then when I have found the
specific piece of info I need, I would like to click a link that would
launch the second application. The second application also has a
security login feature, but by clicking the link I want to pass my
security info from Application 1 to Application 2 - thus allowing the
user to bypass a second login. Basically, login once and jump back
and forth to both applications without ever having to login again
until the user closes their browser. Is this possible?

Both applications make a call to a stored procedure passing in the
username and password. If the values in the DB match what the user
supplied, then a dataset is returned to the application that contians
all the necessary rights for that user. I created an object in .Net
and populate it's properties with the info returned in the dataset.
Then I use a session variable to keep the object in memory. On every
page I go to, before any code executes I check to make sure that the
object exists and the user has the necessary rights to be on that
page. Both applications call the same stored procedure, both return
an identical dataset, and both apps have the same exact user Object
that is kept in the session. I would think with a few tweaks or
adjustments I should be able to have the 1 login, then pass this user
object back and forth (or at least copy it) to each application? Is
this possible? I would prefer to avoid using cookies and would like
to make this object arrangement work between the two apps.

Any help would be appreciated. Thank you.

 

[Todd]

This might involve setting the appropriate scope (Global, Public,
etc?) to an object, something I am not too familiar with. Is it
possible to set scope to allow an object from one application to be
"seen" by another application on the same server? Example: App1 runs
and creates an object. Then App2 is started, and upon startup wants
to read the values associated with the object that was created in
App1. Is this possible? Specific syntax or examples would be helpful
- thank you.

 

[Todd]

This is how I solved my issue: User logs into application 1 and the
security rights get assigned to SecurityObject1 in App1. User clicks
a button in App1 that will link to App2. On button click in App1
three things happen:
1) a call is made to a secured SQL table and any records that are on
this table where the user name is equal to App1's SecurityObject user
name is deleted.
2) a new, fresh record is inserted into this same SQL table. All
customer information and security information for the logged in user
is inserted. By doing the delete in step 1, I can be sure that only
current information exists in this table.
3) User gets redirected to the login page for App2. The redirection
link will contain a couple of unique URL variables, such as
http://app2/login.aspx?LinkingApp=t&SecuredUser=*App1 SecurityObject
logged in user*. Code on the page load event for App2 has logic that
looks for these URL variables - if they exists then a small block of
code executes these 3 steps:
1)call the SQL table and get the record where the user name equals the
URL.App1 SecurityObject Logged in User.
2) take the record returned from this query and dump all the customer
information into a dataset in App2, and copy each of the secuirty
properties into the security Object in App2. At this point I now have
a valid security object existing in App2 - the same exact user that
was logged into App1. Plus, I have forwarded all the customer
information as well.
3)The last step is to delete the record from the SQL table where the
user name equals the URL.SecurityObject Logged in User. From here on
out I can let App2 run it's normal code to check for the security and
the customer information.

I use SQL server to act as a bridge between App1 and App2, passing all
the information through SQL. By doing these steps in this order, I
should never have a record left on the SQL table containing customer
or security information - it is always deleted at the very beginning
and at the very end of the process. The record probably only exists
in SQL for a couple seconds at the most. Even if I have a rogue user
that types out a URL with the variables, and inputs a user's name in
the respective URL variable, they will not gain access. The code will
take the name they supply and query the SQL table - no information
will be found (remember, the record was deleted as the last step when
a VALID user passed information into App2). The normal flow of code
in App2 will check to see if the security object has the proper rights
- which it will not because it has not been populated from the SQL
table. The user will get redirected to the login page.

I never like it when I have to answer my own posts, but I'm glad this
issue is behind me. Questions/comments? Go for it.