Hi,
In the app1 where the user is authenticated, a string is formed with the user parameters, database, random control code is encrypted and passed as a parameter for the app2. in the app2 it is received and the application can only load if the parameters are valid in front of a common database that verifies that the control id is valid. You could also use the sessionID of the app1, which would have greater security by ensuring only once the use of the parameter step to the app2.
Example: "http://server.com/app2/app2.dll/?id=AHnl1BTEf7Rbt7m2dAbPKYowBoMDA"(only valid once).
The important thing is that once validated the controlID or sessionID is marked as used so that they can not reload the previously formed url.
This applies when you need to have a control system for many databases and users and it is required to have the unigui 24x7 application and be able to have a basic load balancing. It is the practical way that I found and it has worked for several years.