Transfering data between webapps using a cookie

At this moment I am working on coupling two different applications. A custom one and the beta forums. What I want to do is use an own user database to authenticate users in the forum app. The forums use forms authentication to log on users. In a previous post I demonstrated how to work with forms authentication without popping up a login dialog. The next step was to bring the user credentials from my app to the forum.

There are several ways to store state in a web app:

  • Viewstate. Limited to one and the same webpage.

  • Application object. Limited to an instance (in a web-farm or garder there are multiple instances) of the application

  • Session. Limited to the session of one application. At first sight I had expected the state to be shared by multiple applications within one session. Which is not the case.

  • Cookies.  Limited to one and the same webuser. Which is what I need.

There are far more way to handle this. James Beine suggested a webservice to manage state. Which would be perfect but somewhat of an overkill for this scenario.

The idea is to set up the cookie when the user logs into the app.

HttpCookie ck = new HttpCookie(“MyCookie”);
ck.Values.Add(“userName”, TextBox1.Text);
ck.Values.Add(“pwd”, TextBox2.Text);
“email”, TextBox3.Text);

The authentication page used in the forum will check for this cookie.

const string myCookieName = “MyCookie”;

System.Web.HttpCookie ck = Request.Cookies[myCookieName];

if (ck != null)
    forumsUser = new
    forumsUser.Username = ck.Values[“userName”
    forumsUser.Password = ck.Values[“pwd”
    forumsUser.Email = ck.Values[“email”
    forumsUser.IsAnonymous = false;

    Response.Cookies[myCookieName].Expires = DateTime.Now.AddYears(-1);
    Request.Cookies[myCookieName].Expires = DateTime.Now.AddYears(-1);

    if (AspNetForums.Users.ValidUser(forumsUser) == AspNetForums.Enumerations.LoginUserStatus.Success)
       System.Web.Security.FormsAuthentication.SetAuthCookie(forumsUser.Username, false);


This is some condensed demo code, I’ll leave the full story for a next time. Here I’ll concentrate on the cookie. Once used the cookie should be deleted, else the user would be granted access to the forum without ever rechecking his credentials again. To delete the cookie I experienced some difficulties. This is what I think is going on, please comment if I’m wrong. I’ll be most happy to update.

  • The cookies collection of request and response have a remove method. This method does not seem to work ?

  • In a second approach I tried to set the expiration datetime of the cookie at cookie creation. Which works fine when you’re working on one machine (with a localhost) but is a disaster in real life. The expiration time set is using the server’s clock. Whether the cookie is sent again by the browser is determined by the browsers clock. These clocks are most likely to be (totaly) out of sync.

  • When you set the expiration of an existing cookie to sometime long ago, the cookie will be gone

  • You have to set the expiration of the cookie in the response and in the request. Else the non-expired cookie will be copied from the request again ?

How cookies are exactly handled in the cycle of processing a request is not completely clear to me. Interesting is to see what happens if the request gets redirected. Suppose you set a cookie, fill it with some value and redirect to another page from code. While handling that page you will see that the cookie is set. But the values contained are all empty. I conclude that a cookie can not be consumed until the next roundtrip.


This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Scott Galloway

    Worth remembering the limitations of cookies – and that these vary by browser, this is a good basic guide:

    300 Cookies total

    20 Cookies per server (not per page or site)

    4K of data Per cookie (both the name and value of the cookie count towards this limit)

    Taken from here: