There are 3 applications involved here - the original asp.net site, the web api, which will be on the same domain, and then there is a jsp site, on a different domain entirely - not a subdomain, not even the same environment.  I have to have the auth service in the web api, which will take a username/password and verify it against our database that both the original site and web api will use - the jsp website will have a login page that will be calling this web api service for authentication (it will not have its own) and the service will need to return to it some kind of token (either I generate myself or in some way) and then when the jsp website needs to redirect to the original asp.net site (not the web api) for a page there, when it does that it needs to send the same token obviously to the asp.net site to ensure the user is logged in to it already without having to go to the login page of the original asp.net site first (I'd like for it to first post the token to a httphandler or something on the asp.net website and for that to decrypt it and if the user is logged in, basically that it could be decrypted, then it will redirect the user to the page they desired to go to on the asp.net website, from the jsp one).  It seems this should be a viable solution, and if so, couldn't I just, in the web api auth service, call FormsAuthentication.GetAuthCookie(username, false) and extract the value (the token) from that cookie and return it in the auth service's json response? ...and then the jsp site can store that token in session, and when the user needs to navigate from the jsp site to the original asp.net site, it can pass along that token and the asp.net site can call FormsAuthentication.Decrypt(token) and if it returns something, and it isn't expired, that means the user is validly logged in?