tags:

views:

200

answers:

3
+2  Q: 

Pass value from one ASP.NET app to another via HTTP Header

We are implementing a single sign on mechanism in an enterprise environment, where the token is shared between applications using HTTP header. Now, in order to do the integration test, I need to write an application to simulate this.

Is there any way in ASP.NET where I can redirect to another web-page and pass a custom HTTP header in the process?

Thanks

A: 

This may help you:

Passing data in HTTP Headers

wali  2010-06-15 20:15:49
This post describes how to create a webrequest and pass HTTP header. But the drawback is that it has to read a response. I am looking for a redirection with HTTP header. My parent application would pass control to the child.
Srikanth Venugopalan  2010-06-16 01:21:38
A: 

The server could send the HTTP header to the client on a redirect, but the client would not send it back to the other remote server.

The ideal solution in this case would be to use a Cookie, or a QueryString variable. Cookies may suffer from cross-domain issues and become complicated if host names are different enough.

In any of these approaches, one must be careful not to create a security hole by trusting this information as it is user input coming back from the client (or some black hat).

umbyersw  2010-07-11 07:48:12
Yeah.. its the server side implementation that I'm stuck with. How do I get an asp.net application to send custom HTTP header to another domain? I am looking at a solution where we redirect the control to another URL from the server, i.e maybe using Response.Redirect??
Srikanth Venugopalan  2010-07-12 01:11:42
Yes, Response.Redirect if the data is small enough to encrypt, put the encrypted value on the QueryString (Forget headers). Requires sharing keys from server A to server B. Synchronize the Machine Keys and use them to encrypt/decrypt the data. If that's not possible, or there is too much data, put a token such as a Guid on the QueryString. Then use a back-channel between servers where server B can call server A and ask it for the details of the incoming request. This type of custom solution is very error-prone, be sure to think of the attack vectors. Look at Windows Identity Foundation.
umbyersw  2010-07-12 06:50:56
A: 

You need to create a page on Site B that Site A redirects the user too that sets a cookie with the desired value.

for instance.

http://siteb.com/authenticate.aspx?authtoken=15128901428901428904jasklads&returnUrl=http://siteb.com/index.aspx

authenticate.aspx would set a cookie and then every request would receive authtoken.

bleevo  2010-07-18 01:34:33
ok, nice idea. but I am a little skeptical while using cookies. What if the client PC has cookies disabled, or even worse, if a hacker wishes, he/she could manipulate the cookies.Besides, I wish to simulate a test environment for a live system. The actual authentication happens via HTTP headers. In production, there is a setup where they use some gateway provided by CA Inc (not sure of the exact product name).
Srikanth Venugopalan  2010-07-19 02:09:38
Your only option is to use Cookies or store it on the url, there is no way you can command a client to send custom http headers.
bleevo  2010-07-21 10:44:25
Also if your worried about cookies. http://msdn.microsoft.com/en-us/library/aa479314.aspxAnd "hackers" can change http headers just as easy as cookies.
bleevo  2010-07-21 10:45:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps