Sharing Cookieless Sessions Between Multiple Applications in ASP.NET
I figured out how to share cookieless session data accross ASP.NET applications today. Here’s a little background:
I’ve got a big client that is basically an umbrella for a number of different projects. Even though all of these projects are more or less seperate, their users are mostly the same. At one point, years ago, it became a huge mess of having seperate user accounts and passwords to keep track of, so we created a unified system to handle the logins. You log into the unified system once, and you can enter any application from it directly.
In the past year, we’ve been working on rewriting many of these applications in ASP.NET (they were previously all VB6 ASP). One of the requirements of the client (a state organization), is that we must never at any point use cookies or sessions to store anything. ASP.NET has this cool cookieless session functionality that stores everything server-side in a database. I had previously been doing the exact same thing manually in my app (which was a huge PITA), but .net handles it for me now. Cool deal, but I just discovered this morning that when you change to a seperate web application (I think this is defined as either having a new web.config file, or a seperate application definition in IIS), you get a brand new session ID, and can’t carry over any of the data (like the user you’re logged in as), therefore making my unified login useless.
The solution to this problem ended up being twofold. First, I had to replace the cookieless session scripts and tables that Microsoft provides with some custom entities. Second, I had to do a little sleight of hand in my application to transfer with the session ID intact.
The first step came from an article at my arch nemesis, The Code Project. I hate them so because they always come up with something pertinent at the top of a google search, but I’m foiled by their required registration. A quick visit to BugMeNot marked our ammends and I found myself faced with a dubious and undocumented sql script. Don’t let the frustrated comments, poor rating, and broken English of the author fool you, this script works.
To set it up, do the following (assumes you’re already using cookieless sessions with database storage):
- Shut down IIS
- Open the AspStateTempApplications table in tempdb
- Copy out the AppNames
- Run the script from code project
- Open the ASPStateApplications table in ASPState
- Past the AppNames in with the same value for all in AppGroup
- Reboot your web server (I couldn’t figure out a better way for it to flush AppIDs)
Once done, instead of using the AppID for the AppName to append to the SessionID, it will use an app entry with the name of the AppGroup you chose. This means that all the applications will have the same suffix on their SessionID, and can share that session. Without this, even if they visibly have the same SessionID in their URL, it actually gets saved with a different prefix and is treated as an entierly seperate session.
The second step is easy, you’ll just need to build a custom redirect url so it transfers over the SessionID. Something like this should work fine (e.Args[”ApplicationUrl”] is my application name that it’s transferring to):
string applicationUrl =
"http://" + Request.Headers["Host"].ToString()
+ "/" + e.Args["ApplicationUrl"].ToString()
+ "/(" + Session.SessionID + ")"
+ "/";
Then you’re all set, share away! Due to the low reputation of that script on the code project, I’ve archived it here in case that page goes down. The original author is somebody named SampoSoft.
