how to implement single sign on in .Net?

Question

What is the best solution to implement single sign on in a .net application? I have googled and found few solutions but I am not very convinced with those solutions.

Use

Answer 1

I'm assuming that you don't want to use Windows Authentication with Active Directory, etc. One method is to hand over from one authenticated session to the other using a security token on the query string, as you describe.

Both applications use the same public encryption key to encode/decode the security token. As you say, this works fine if you have limited, predefined transition links between the sites but if you want to be able to use any page links between the apps you would need to generate those urls on the fly so that they contain the token.

The way you deal with timeouts is that the security token also contains an expiry time. You generate a new security token each page request, or when you create a new link between apps.

Typically the security token contains a userid and a timeout and the login checker either returns the userid or null if the timeout has expired.

It's not a quick solution to code up properly and securely. Maybe you can find a pre-built one on Code Project?