I have 2 Websites (ASP .NET MVC3) and both have their own authentication methods.

The idea is to link the users from the Website #1 with the users accounts of the Website #2.

I have no clue how it might be done technically.

What I think is about a sort of "background" login but how it can be done?

I just need some draft of possible correct solutions.

Basically we can add the Map Table into the Website #2 and check if the WebSite#1UserId is there and if not show the popup to login/register for the Website#2.

But if we will do it i.e. in iframe then will it work? So we are able to login at the same time into both websites when the first login goes through the "normal" flow and we have some extra code that is going to login for the UserID in the Mapped Table and realize the "background" login for the second website...

Or even I have to create code to play around with cookie of the Website#2?

So I am not sure about the proper solution. But I see the

A. Use hidden iframe and simulate the "background" login.

B. Use pure C# code within login method of the WebSite#1 and use SOMEHOW (POST,GET,... ?) to get logged in to Website#2 and get access to all its pages.

Thank you!

P.S. Is it possible to use this solution Dummy form to submit like the real login form + http://msdn.microsoft.com/en-us/library/bb310861.aspx

and there is another solution Login to website, via C#

Even if you're using custom auth, as long as both websites can share cookies, you can customize MVC to login based on the authentication scheme of the other site. You can build off of this answer on StackOverflow. Again, this requires that both websites can share cookies, which means they are either both on the same subdomain or both directly on the domain (no subdomain at all), or they are on different subdomains on the same domain and cookies are set on the domain itself as a wildcard.

If that doesn't work for you, then you have to create a sort of affiliation network between all the sites. Think of how Google does logins. All authentication goes through accounts.google.com. If a site on the network, say youtube.com, needs to authenticate you, it redirects you to accounts.google.com. There, you login, and you are then redirected back to the originating site with some identifying token indicating that you are logged in and granting the site with the ability to fetch your user details. The site, youtube.com, in this scenario, uses that token to request your user information from accounts.google.com, most likely through a backend API, and poof you look like you're logged in on YouTube, when in actuality you're not. There's a good primer on the methodology here along with sample code in the second article in the series.