There exists a web application that operates on a IIS6 ASP.Internet server. You have to be drenched directly into make use of the software. Essentially whenever you login a cookie is produced when you visit subsequent pages they check for your cookie if it's not there then you're rerouted to login.

You want to implement a MediaWiki server using Linux/PHP (Light) use a "wiki" formatted help section for the customers. However, you want to only allow access from people who are drenched to the software.

Therefore we have software.company.com (Home windows/IIS6/ASP.Internet server) that you simply login and navigate to the help which redirects you to definitely kb.company.com (Linux/Apache/PHP server).

My ideas will be to make use of the same kind of "cookie" looking into the linux server, but I am unsure ways to get the Home windows IIS box to pass through an expression or something like that towards the Linux server saying "hey this user is drenched in so produce a cookie on their behalfInch.

Anybody do anything whatsoever such as this? I might be completely missing the boat during my thinking...

The issue here's concerning how to tell the kb.company.com site the inbound user is truly authenticated and drenched into support.company.com.

There exists a much the same setup. There exists a merchant portal and there exists a private knowledgebase wiki site.

To transfer customers to the wiki site there exists a special link that demands a webpage on support.company.com which creates a blob of information along with a session key (for instance a guid or two) that's endured to some "session transfer" database table that's available to both sites.

Then we Response.Redirect() the consumer towards the wikisite with this particular key, for instance:

http://kb.company.com/DoLogin.aspx?session=E97DDE8D-1C57-4450-ABE4-72E2054A1C82

Within the wiki (we modified ScrewTurn wiki slightly) we've Forms Authentication switched on and deny use of anonymous customers. The DoLogin.aspx grabs the session value in the query string after which searches for the record saved within the "session transfer" table. If there is a match only then do we authenticate the consumer and remove the session transfer record.

The session transfer record can also be time and date placed and it is permitted an eternity of 90 seconds then a cleanup task will remove the record.

Instead of pass the session key value through the querystring you can pass this using a cookie in which the cookie domain is placed to company.com:

HttpCookie cookie = new HttpCookie("session", "<guid>");
cookie.Domain = "company.com";

Further touches is always to secure the cookie value perform some hashing and appearance for tampering on the other hand from the transfer. Nevertheless the content within our wiki is not terribly valuable (none from it is editable through the consumer), we simply desired to repel casual passer's by, which works all right for all of us.