how to send user ID across differnet application in ASP.Net?

Question

Hello everyone,

I have two web applications all are developed by ASP.Net. Now I want to provide a feature which enables the user to click from one URL in application site (one virtual directory of IIS) A to the other URL in application site B (another virtual directory of IIS).

I have two ideas to implement them, but both of them have issues. I want to know what solution should be optimum solution?

Solution 1: using cookie, so from both application sites, we could retrieve user ID information from reading cookie, but I am afraid if cookie is disabled in browser, this "jump" feature never works.

Solution 2: When the user redirects to an URL in another site, I could append user ID after the URL, I could redirect to this URL in another site http://www.anotherapplicationsite.com/somesuburl?userID=foo, but I am afraird that in this way userID will be exposed easily which raise security issues.

Any advice?

thanks in advance, George

Answer 1

I don't think 1) will work due to browser security (cookies from one domain cannot be read by another domain). I would go with 2), except I would encrypt the querystring value.

EDIT: For more info on cookie privacy/security issues, check out the "Privacy and third-party cookies" section here.

Answer 2

What are you using as the user's id? If you are using their social security number or email (something sensitive) then you are going to want to encrypt the value before you put it on the query string. Otherwise (if the user's id is something ambiguous like an integer or a GUID) it should be fine to put the id on the query string.

Answer 3

Thanks Kevin Tighe,

1.

I am very interested in how you "encrypt the querystring value". I have never did this before. Could you recommend me some sample codes to learn?

2.

"ill work due to browser security (cookies from one domain cannot be read by another domain)." -- I am interested to learn more about this security restriction, do you have any more related documents about cookie restrictions?

regards, George

Answer 4

As long as you have a good authentication system in place on the second website I think solution 2 is the one for you, taking into account the remark Andrew made about the sensitive ID's of course.

For more information on encryption: check the documentation of the FormsAuthentication.Encrypt Method . I think they even do something with writing a value in a cookie in that example.

Answer 5

Thanks Andrew Hare,

The user ID is my internal used user ID, since I use it internally in my ASP.Net application and also used it as my database primary key, I do not want to expose it.

About your ideas of "encrypt the value before you put it on the query string", I am very interested and thinks it should be a good idea. Could you recommend me some tutorial or sample codes to learn? I never did this before. :-)

regards, George

Answer 6

using cross domain, you can not SHARE the session, so I was thinking about POST

idea 1

if afraid of "showing" the username in the address, why not sending a POST?

<form name="myForm" action="http://www.mydomain.com/myLandingPage.aspx"&gt;
  <input type="hidden" id="userid" value="myUsername" />
  <a href="javascript:myForm.Submit();">click here</a>
</form>

but then... off course, "View Source Code" will show it

idea 2

then.. I remembered that I do the same, but sending a Encrypted string like:

 http://www.anotherapplicationsite.com/somesuburl?userID=HhN01vcEEtMmwdNFliM8QYg+Y89xzBOJJG+BH/ARC7g=

you can use Rijndael algorithm to perform this, link below has VB and C# code:

http://www.obviex.com/samples/EncryptionWithSalt.aspx

then in site 2, just Decrypt and check if the user exists... if it does, continue, if not saying that the user tried to temper the query string :)

Answer 7

If you put the userid in a query string and that's all the 2nd app uses to allow login, what's to keep me from manually typing in other users id's? You'd still have to prompt for password on the new site.

I'd use a database to hold login information, and have both sites reference that same db. Use it like you'd use a session.

D

Answer 8

Thanks balexandre,

I did not see how in your javascript code, you send by POST and encrypt user ID? Confused.

regards, George

Answer 9

Thanks Gerrie Schenck,

If FormsAuthentication.Encrypt Method uses cookie, but could another domain using the cookie? I think cookie information could not be retrieved from another domain? :-)

regards, George

Answer 10

I work with this sort of thing a lot. What you're looking for sounds like a candidate Single Sign-on solution or Federated Security.

You might try doing something similar to the following:

1. Create a simple db or other sort of table storage with two columns "nonce" and "username"

2. When you build the link to the other site create a GUID or other unique identifier to use as a one-time nonce, passing it as a querystring ?id=. Insert an entry into the table with the current authenticated username and the unique identifier you created.

3. When you reach the destination of your link, pass the unique identifier to call a webservice that will will match up the identifier with the username in the database you inserted before jumping to the second site (secure this with ssl).

4. If the nonce checks out with a valid username, you're all set. The webservice should remove the used entry and the table should stay more or less empty any time you are not in the middle of a transaction.

It is also good to include a datetime in your nonce/username table and expire it in 60 seconds or less to minimize the risk of replay attacks. We also require client certificates for external applications to call the webservice in order to verify the identity of the caller. Internal applications don't really necessitate using client certificates.

A nice thing about this is that it scales fairly well to as many sites as you would like to use

Not perfect security, but we've never had a significant compromise with a such as system.