tags:

views:

205

answers:

2
+1  Q: 

IIS http request authentication issue

Hello everyone,

I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. I have two IIS web site, site A and site B. When user request url http://sitea/abc.aspx, my ASP.Net code handler will authenticate user (using Forms authentication), and if authenticaiton passed, I will redirect user to http://siteb/bcd.aspx.

My current issue is, some users will access http://siteb/bcd.aspx directly to skip the authentication process of sitea. This is not what I want since I want to ensure all users who access http://siteb/bcd.aspx authenticated.

My question is, what is the easy solution to solve the issue when user will access siteb directly to skip authentication?

thanks in advance, George

+1  A: 

My thoughts on this...

  • Disallow anonymous access to both the site
  • Since you are using forms authentication set the loginurl appropriately.
  • If a user access http://sitseb/bcd.aspx directly, since anonymous access is disallowed it will be redirected to the respective login URL.

Do let me know if you need any further clarification.

A similar solution is presented here..

Multiple site authentication with asp.net

NOTE: IF need be, the forms authentication cookie domain should be set to "*.yourdomain.com" so that the same cookie can be used for both the site.

rajesh pillai  2009-09-13 15:16:02
Thanks Rajesh, I think your solution works. I said I am using Forms authentication, and more precisely I use Forms authentication for sitea, not siteb, sorry for my bad description of my question. :-)siteb is a legacy system and I want to keep code change as minimal as possible. I am not sure whether using Forms authentication on siteb will involve too many code change?
George2  2009-09-13 15:23:43
What kind of authentication is used by "siteb"?
rajesh pillai  2009-09-13 15:28:22
Currently, no authentication is used by siteb yet. Anonymous access.
George2  2009-09-13 15:35:10
You can implement Forms Authentication with minimum code changes. The best way in this case is to "enable forms authentication" in the web.config and set the login URL of "siteb" to the login URL of "sitea" and you are good to go.
rajesh pillai  2009-09-13 15:38:19
Thanks Rajesh! I have a similar question. If sitea is not using forms authentication, but using some customized authentication method (e.g. on sitea I have a customize DLL which contains authenticaition method by using the current HttpContext), how to make siteb easily adopt this authentication method, I like the feature of forms authentication to easily redirect all un-authentication request to a login page, but I am not sure whether Forms authentication could be easily integrated with such customized authentication method? Thanks!
George2  2009-09-13 15:47:55
"on sitea I have a customize DLL which contains authenticaition method by using the current HttpContext" -- in more details, the input of the authentication method will be HttpContext.Current, and this method will authenticate using a private business rule and return true for authentication pass, false for not-authenticated.
George2  2009-09-13 15:49:12
What you are talking about in essence is forms authentication (your authentication logic resides in a separate dll)? As long as any mechanism which set the asp.net principal object you are using forms authentication. So, you are already good to go, I think :)
rajesh pillai  2009-09-13 16:26:59
Thanks Rajesh, sorry I do not make myself understood. I mean I am still using Forms authentication in sitea but using a customized authentication method -- not just using built-in SQL Server provider of ASP.Net. Could you review whether my current design is correct? 1. Set a cross domain cookie for both sitea and siteb. 2. When user passed authentication from sitea, I will set the cross domain cookie. 3. In siteb, I will check whether the cross-domain authentication cookie is present by using Forms authentication in siteb. My design correct?
George2  2009-09-13 16:56:55
My confusion is how to set cross domain level Forms authentication cookie? Do I need to set cross-domain cookie in both web.config of sitea and siteb? Appreciate if you could recommend me some samples of how to set cross-domain cookie? Thanks!
George2  2009-09-13 16:59:00
Thanks Rajesh, I have marked your reply as answered. Here is a related question, appreciate if you could take a look.
George2  2009-09-14 05:36:50
+1  A: 

On siteb you can restrict access to the ip address of sitea.

In IIS Manager

Click the Directory Security or File Security tab, and then do one of the following:

in the IP address and domain name restrictions section, click Edit.

Click Granted access or Denied access. When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access.

Click Add, and then click Single computer.

Click DNS Lookup to search for computers or domains by name, rather than by IP address.

Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.

Peter Marshall  2009-09-13 15:18:49
Hi Peter, I think your solution does not work for me. Since when a normal user access sitea for authentication, then I will redirect the user to siteb. I think the IP address should be client (end user)'s computer address, not sitea'a address. So, your solution of restricting address of siteb to allow only sitea to access is not working. Please correct me if I am wrong. Thanks!
George2  2009-09-13 15:26:00
How will this work though with subsequent requests to siteB? The first request, through authentication will be from siteA as a redirect, but subsequent requests would come from the client's IP, no?
eidylon  2009-09-13 15:27:59
Hi Peter, the scenario is, step 1: user access sitea for content list, step 2: user is asked for authentication by sitea, step 3: user is authenticated by sitea and sitea redirect user to siteb, step 4: user access siteb from redirection. So, I think when user passed authentication and access siteb, the user should be using client computer's IP address and not sitea's address, correct?
George2  2009-09-13 15:37:13

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?