I'm trying to help a friend - they have a pretty big web application (ASP.NET 4.0, Visual Basic) that has a number of subfolders that all act as quasi sub-applications (but they're just subfolders of the main application). This application will be split up into multiple independent web application because in its current form it's hard to maintain and develop any further.
The problem is that the current monolithic application uses a number of session variables for things like user information (after logon, etc.) I wonder if there's an easy way to share this information securely among the future multiple web applications (which will obviously have independent sessions). Session state is stored in SQL Server. The users of the current web application are all external users and not all users have access to all "sub-applications".
I'm looking for some advice about these two things:
1. I already did some searching and found single-sign-on - this seems to solve the problem of authentication across these applications but I'm unfamiliar with it and I don't understand how the authentication information is deleted if the "session" expires, since the different web applications will have different sessions. Is is possible to log out a user from all web applications once the session expires in one of them?
2. I suspect (but not sure) that there may be some other session data on top of the authentication information that may need to be shared after the split. What would be the best way to do this (again reliably and securely)?
I found this article about passing IDs (to database records that would hold the shared data) and wonder if it's good.
All advice would be appreciated.
PS: I found a number of threads here on SO about this but I don't believe any of them answer these specific questions. The most helpful I found was this one: