tags:

views:

110

answers:

1
+1  Q: 

dealing with authentication in asp.net using membership

Ok, here is the problem:

I have two sites: www.mysite.com and blog.mysite.com (fake site names) which suppose to share authentication. The login page is on www.mysite.com/login/login.aspx

Now, the blog website has web.config with following authentication section:

<authentication mode="Forms">
  <forms timeout="50000000" 
   loginUrl="http://www.mysite.com/login/login.aspx"
   defaultUrl="~/"/>
</authentication>
<authorization>
   <deny users="?"/>
</authorization>

Now I hit blog.mysite.com/andrey/page.aspx and it redirects me to login page which is on www site. The real problem is that "reditect" query string will only contain relative page url (andrey/page.aspx), so when I login it will try to redirect me to www.mysite.com/andrey/page.aspx, not blog.mysite.com/andrey/page.aspx where i started so of course everything fails.

Is there a way to tell Membership object to put the full path into "redirect" query string parameter when it bounces to login page?

Thanks! Andrey

+1  A: 

Assuming that each domain has its own web.config, I think this might work.

1) Create a login page for both www.mysite.com and blog.mysite.com
2) Point both to the same membership database
3) Make sure both have the same membership applicationName attribute set: 

<membership><providers><add applicationName="mySite">

4) Make sure both have the same forms name set: 

<authentication mode="Forms"><forms  name="mySite">

This should ensure that both sites use the same membership database and the same authentication cookie, but they'll use their individual login pages and so the return url should be fine.

Can you call the FormsAuthentication.SetAuthCookie Method and manually redirect to the http referrer?

I just saw this in the documentation for FormsAuthentication.RedirectFromLoginPage

By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the RedirectFromLoginPage method redirects to the URL in the DefaultUrl property. If you want to allow redirects to a page outside the current application, you must set the EnableCrossAppRedirects property to true using the enableCrossAppRedirects attribute of the forms configuration element. Security noteSecurity Note:

Setting the EnableCrossAppRedirects property to true to allow cross-application redirects is a potential security threat. When cross-application redirects are allowed, your site is vulnerable to malicious Web sites that use your login page to convince your Web site users that they are using a secure page on your site. To improve security when using cross-application redirects, you should override the RedirectFromLoginPage method to allow redirects only to approved Web sites.

Does messing with that property help at all?

Greg  2009-09-16 21:58:53
Well, I still wanted to have one place to login into the portal. Any ideas how to control RedirectUrl?All I could go with so far, is to reverse engineer and rebrand FormsAuthenticationModule class, make changes so it puts the whole URL into redirectUrl, and use that module instead of Microsoft's FormsAuthenticationModule class.
Andrey  2009-09-16 22:08:01
No, I don't know of any way to do that. If both login pages looked exactly the same except for the URL, and each could log you in to both sites, that doesn't really seem that different from a user experience from "one place to login into the portal" to me.
Greg  2009-09-17 12:57:23
Agreed, but I actually have 7 sites and supporting login page for every one of them is an unnecessary overhead if it can be avoided. I guess I'll have to rewrite FormsAuthenticationModule class to fit my needs...
Andrey  2009-09-17 17:52:00
I actually don't think that an authentication cookie created on a 3rd level domain blogs.mysite.com would be available from the second level domain www.mysite.com, so user woudl have to re-login when going to www page if logged in to blogs originally, which is not acceptable.
Andrey  2009-09-22 02:25:32
You're probably right. I thought it was worth a shot. =)
Greg  2009-09-22 13:12:23

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps