Auth methods in ASP.NET

[TheEarthWillShake]

I have a few questions on how to approach this.

We have a LDAP server/corporate site and we are developing a ASP.NET app.

What I want to do is once a user logs onto our corporate site, to be able to to try to log onto our ASP.NET app. (We have the method on capturing the LDAP username)

So say a user logs onto our corporate site.

Now the user wants to visit the ASP.NET site.

The ASP.NET site catches the user name and reads our database.

If the user exists allow them on the site with the role attached to that user, if not route them to a Not Authorized page.

What I'm wondering is if I should use cookies or some kind of session variable?

Right now I'm using cookies with forms authentication but it seems kind of redundant as the corporate site already has a cookie in place.

What I really want to do is give this site a single sign on feel.

 

[sourceninja]

What we do here (not an asp shop mind you) is use token based authentication. We trust our own servers, so if you log our main site, and when you click links that take you to apps on other servers a token is sent verifying you are authenticated and your user name is also sent. Works well for us.

 

[techfuzz]

If this is all internal and you have an Active Directory-based network, you can enable Windows Authentication for your site and use NTFS permissions (security groups) to restrict access to file/directories.

If it's external and your corporate site and asp.net application are in the same domain, use forms authentication and cookies. Set the domain of the cookie to be a ".domain.com". You can read the cookie from both your corporate site and asp.net application then.

If the site and application are in different domains, you're SOL.

techfuzz