views:

200

answers:

3

We are implementing a single sign on mechanism in an enterprise environment, where the token is shared between applications using HTTP header. Now, in order to do the integration test, I need to write an application to simulate this.

Is there any way in ASP.NET where I can redirect to another web-page and pass a custom HTTP header in the process?

Thanks

A: 

This may help you:

Passing data in HTTP Headers

wali
This post describes how to create a webrequest and pass HTTP header. But the drawback is that it has to read a response. I am looking for a redirection with HTTP header. My parent application would pass control to the child.
Srikanth Venugopalan
A: 

The server could send the HTTP header to the client on a redirect, but the client would not send it back to the other remote server.

The ideal solution in this case would be to use a Cookie, or a QueryString variable. Cookies may suffer from cross-domain issues and become complicated if host names are different enough.

In any of these approaches, one must be careful not to create a security hole by trusting this information as it is user input coming back from the client (or some black hat).

umbyersw
Yeah.. its the server side implementation that I'm stuck with. How do I get an asp.net application to send custom HTTP header to another domain? I am looking at a solution where we redirect the control to another URL from the server, i.e maybe using Response.Redirect??
Srikanth Venugopalan
Yes, Response.Redirect if the data is small enough to encrypt, put the encrypted value on the QueryString (Forget headers). Requires sharing keys from server A to server B. Synchronize the Machine Keys and use them to encrypt/decrypt the data. If that's not possible, or there is too much data, put a token such as a Guid on the QueryString. Then use a back-channel between servers where server B can call server A and ask it for the details of the incoming request. This type of custom solution is very error-prone, be sure to think of the attack vectors. Look at Windows Identity Foundation.
umbyersw
A: 

You need to create a page on Site B that Site A redirects the user too that sets a cookie with the desired value.

for instance.

http://siteb.com/authenticate.aspx?authtoken=15128901428901428904jasklads&returnUrl=http://siteb.com/index.aspx

authenticate.aspx would set a cookie and then every request would receive authtoken.

bleevo
ok, nice idea. but I am a little skeptical while using cookies. What if the client PC has cookies disabled, or even worse, if a hacker wishes, he/she could manipulate the cookies.Besides, I wish to simulate a test environment for a live system. The actual authentication happens via HTTP headers. In production, there is a setup where they use some gateway provided by CA Inc (not sure of the exact product name).
Srikanth Venugopalan
Your only option is to use Cookies or store it on the url, there is no way you can command a client to send custom http headers.
bleevo
Also if your worried about cookies. http://msdn.microsoft.com/en-us/library/aa479314.aspxAnd "hackers" can change http headers just as easy as cookies.
bleevo