Niraj Bhatt – Architect's Blog

Ruminations on .NET, Architecture & Design

Category Archives: Uncategorized

Client Profitability vs. Practice / Company Profitability

This post is for dummies covering few business terms which I am dabbling with these days. Thoughts below are primarily related to software services, but I think they would be of help to any service industry.

Having ran a startup earlier, I have always cared for margins which is necessary for the healthy growth of the business. Before getting into a customer engagement getting your margins or simply put profits right is very important, for both fixed bid and T&M (Time and Materials) projects. Apart from resource costs, you also need to take into consideration other costs like T&E (Travel and Expenses) and call them out separately.

Keeping above in mind, the profits you derive out of a given customer project is called Customer or Client Profitability (CP) – usually measured in terms of percentage. So, is good CP all what a company should care for? Answer is, of course not. While you might have a high CP it’s still possible that the overall company or practice is making loss. Let’s see how.

The common reason for discrepancy here is overlooking the fixed costs. For instance, you are going to incur salary costs irrespective of whether your resources are allocated (billable) to a project or not (e.g. project you signed up for got over in 5 months) and you will have to still pay rent, infrastructure bills, etc. All of these expenses fall under the larger category called SG&A (Selling, General and Administrative Expenses) which includes advertisement, sales, taxes, training, corporate functions, etc. In short, the Practice Profitability (PP) is not a sum of various CPs; rather it’s Sum of CPs minus SG&A.

It should be clear by now that the only way you can grow your business is increment CP without proportionally increasing SG&A; i.e. do more with less. Most of the budget planning exercises in corporate companies is around this agenda. One way to achieve this is move away from RFR (Resource following Revenue) to non-linear revenue models, shifting the focus from services to products.

Hope this was useful in putting these terms into the right perspective.

Single Sign On via Cookie Sharing for Sub Domains using ASP.NET

ASP.NET supports Forms Based Authentication (FBA). FBA mandates that user logging to the site must have an .ASPXAUTH cookie. If the cookie stored on your computer is persistent it would bypass the login screen next time to access the site. This happens because every time you send a request out to a site, all the cookies stored for their site on your computer travel along with the corresponding HTTP request. Now this holds true not only for site per se, but also holds for any sub domains of that site. For e.g. if you have a persistent cookie stored for abc.com, the authentication cookie would not only be send to abc.com, but also xyz.abc.com and pqr.abc.com.

So the question comes how do set the domain name for an authentication cookie in ASP.NET? Pretty simple, use GetAuthCookie method of FormsAuthentication class.

HttpCookie httpCookie = FormsAuthentication.GetAuthCookie( “someuser”, true ); //Persistent Cookie
httpCookie.Domain = “somedomain.org”; // Set the domain
HttpContext.Current.Response.Cookies.Add( httpCookie ); // add the auth cookie to response
Response.Redirect( FormsAuthentication.GetRedirectUrl( “someuser”, true ) );

Note the second parameter passed to GetAuthCookie – ‘true’. This would create a persistent cookie. This cookie would be send to the sites in the same domain and so would bypass the login screen. Also it’s the machinekey which is used to generate (encrypt / decrypt) the authentication cookie. Hence, you need to ensure that machineKey is same for all the applications which are part of your SSO solution as shown below:

<system.web>
<machineKey validationKey=”64Bytes” decryptionKey=”24Bytes” decryption=”3DES” validation=”SHA1″/>
</system.web>

You can find more details about how to generate these keys with differences between decryptionKey (used for authentication ticket) and validationKey (used for viewstate) here.

Finally the GetAuthCookie code won’t work if the machine name where you are running the application and the domain name used don’t match. To do the same you might have to edit your ‘C:\Windows\System32\drivers\etc\hosts’ file and provide an alias. And that’s it. You are all set with your SSO solution.