Single Sign-On ASP.NET and PHP

Question

Hello

We have a site made in .NET 3.5 with a multiplexed membership/role provider, and a connected PHP site (on a different server) which uses the same users (or partly atleast) and we are looking into the posibility of using a single sign-on and i'm wondering if others have done something like this that works.

When the PHP site's authentication is done it sets a session variable with the user id and then redirects the user to the start page.

In the future it's meant that the user always logins on the ASP.NET site, so what i've done is trying to authenticate on the PHP site at the same time as the ASP.NET. To be able to use the user's password i've added the logic on the ValidateUser method in the membershipprovider:

                HttpWebRequest req = HttpWebRequest.Create(url) as HttpWebRequest;
                string data = string.Format("username={0}&password={1}", MembershipHelper.UrlEncode(username), MembershipHelper.UrlEncode(password));
                req.Method = WebRequestMethods.Http.Post;
                req.ContentLength = data.Length;
                req.ContentType = "application/x-www-form-urlencoded";
                req.AllowAutoRedirect = false;
                req.CookieContainer = new CookieContainer();

                StreamWriter w = new StreamWriter(req.GetRequestStream());
                w.Write(data);
                w.Close();

But as you can understand, it doesn't work. When i visit the php site i'm still not logged in, which of course have something to do with the session, but i just can't figure out how to transfer it correctly.

Answer 1

The code you've shown performs a server side request to the PHP site and passes the username and password in order to perform the authentication. You are also using a cookie container in order to store the session cookie issued by the PHP site.

If the authentication succeeds you will have to retrieve the session cookie from the container (using the GetCookies method) and send it in the response of the ASP.NET page (using AppendCookie). This way the cookie will be stored on the client browser (instead of the temporary cookie container). Once the cookie is stored in the user's browser it will be automatically sent along the next request to the PHP site (provided this site is on the same domain as your ASP.NET site) and you will be signed in.

If both sites are hosted on different domains then using cookies to perform single sign-on might be trickier.

Answer 2

I tried:

                HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
                CookieCollection receivedCookies = cookies.GetCookies(url);
                foreach(Cookie cookie in receivedCookies)
                {
                    HttpCookie httpCookie = new HttpCookie(cookie.Name);
                    httpCookie.Value = cookie.Value;
                    httpCookie.HttpOnly = true;
                    httpCookie.Expires = cookie.Expires;
                    httpCookie.Domain = cookie.Domain;
                    httpCookie.Path = cookie.Path;
                    httpCookie.Secure = cookie.Secure;
                    HttpContext.Current.Response.AppendCookie(httpCookie);
                }

but it didn't work. Different domains, does that include www.anything.com and *.anything.com ?