Passing session data between ASP.NET web applications

Question

I'm trying to help a friend - they have a pretty big web application (ASP.NET 4.0, Visual Basic) that has a number of subfolders that all act as quasi sub-applications (but they're just subfolders of the main application). This application will be split up into multiple independent web application because in its current form it's hard to maintain and develop any further.

The problem is that the current monolithic application uses a number of session variables for things like user information (after logon, etc.) I wonder if there's an easy way to share this information securely among the future multiple web applications (which will obviously have independent sessions). Session state is stored in SQL Server. The users of the current web application are all external users and not all users have access to all "sub-applications".

I'm looking for some advice about these two things:

1. I already did some searching and found single-sign-on - this seems to solve the problem of authentication across these applications but I'm unfamiliar with it and I don't understand how the authentication information is deleted if the "session" expires, since the different web applications will have different sessions. Is is possible to log out a user from all web applications once the session expires in one of them?

2. I suspect (but not sure) that there may be some other session data on top of the authentication information that may need to be shared after the split. What would be the best way to do this (again reliably and securely)?

I found this article about passing IDs (to database records that would hold the shared data) and wonder if it's good.

All advice would be appreciated.

PS: I found a number of threads here on SO about this but I don't believe any of them answer these specific questions. The most helpful I found was this one:

Sharing data between ASP.NET applications

Answer 1

Eventually I found the solution to this problem and I'm leaving it here as reference to others:

StateServer uses a windows service (ASP.NET State Service) which handles the sessions in memory. This uses the MachineKey, AppDomainAppID as well as the SessionID to uniquely identify an application.

• Set the same MachineKey in web.config to be the same for all applications under the site.
• Add code in Global.asax Init() to set AppDomainAppID to be the same for all applications.
• Implement ISessionIDManager and return custom Session ID to be re-used in the sub-applications.

The following links provided the information to the actual implementation I did:

• Sharing session state over multiple applications
• Maintain the same session ID over multiple applications using state server
• Sharing sessions over applications