redirect to another URL issue in ASP.Net

Hello everyone,

I have two web applications and sometimes I need user to jump from one application to another. Since they are two web applications and may reside on different domains/machines, I can not share session between them.

The technical challenge for me is how to pass session information (I only need to pass userID string information in the session) from one source application to another destination application -- so that the user feels Single Sign On and personal information is displayed for him/her in both application (as the userID is passed to the destination application, no re-login is needed).

My current solution is generate all URL strings in both application and append them with user ID after user logins successfully, like http://www.anotherapplication.com/somepage?userID=someuserID, the userID value is retrieved from session. But I think my solution is stupid and I want to find some way to automatically append the query string ?userID=someuserID when the user jumps to another URL in another application -- so that I just need to generate the common unified URL http://www.anotherapplication.com/somepage in both application.

Is there a solution to automatically append the userID query string?

thanks in advance, George

I do not think it is a good idea to have the user id in query string.

A better idea would be to implement a single-sign on solution. In your scenario, you could do the following:

Whenever one of your applications receive an unauthenticated request, redirect the user back to the other application to a special single-sign-on url.
This page checks whether the user is logged in, and if so, redirects back with an authentication token in querystring.
This token is checked by the un-authenticated application; and if it passes, you can login the user.

Of course, this seems like "a lot" of redirecting, but it should be reliable, and it only happens once, and then your user will be authenticated on both applications.

Obviously you would need to implement a security scheme so that you can check that the authentication token you get passed is really valid and originating from your other application. You could do this with a challenge-response algorithm; which could be:

Both applications should know a common key.
First application sends some random data (the "challenge") to the second application.
The second application includes a hash-value of the random data + it's answer + the secret key in its response.
Now the first application can check that the second application knew the secret key by calculating the same hash-value.

Have a look at: http://en.wikipedia.org/wiki/Challenge-response_authentication

EDIT:

With regards to session state, see http://msdn.microsoft.com/en-us/library/ms178581.aspx for an overview. It is possible to share session state between the applications, but I would not recommend it in general. If your application resides on different domains (URLs) you would have to use cookieless session state; which is not safe. If you decide to go this way, you would either have to use State server or SQL Server for session persistence, depending on your setup.

While this is true, if the applications is accessed on different domain; the session id cookie cannot be accessed by the other application. Asp .NET supports storing the session id in querystring - but depending on the scenario this might not be feasible.

driis 2009-02-15 11:32:11

A little confused as I did not use SQL Server to store session status before. Confused about how to share session information between apps on different domains? i.e. when jump to another app, how could the destination app recognizes you are George and not John? You must pass some info when jump?

George2 2009-02-15 11:34:30

Thanks driis, "Asp .NET supports storing the session id in querystring - but depending on the scenario this might not be feasible" -- do you have a sample for this?

George2 2009-02-15 11:35:08

I wonder what happens if you told the cookie to target a different domain...

John Leidegren 2009-02-15 15:56:15

John, what do you mean "you told the cookie to target a different domain"? Cookie can not be accessed from another domain. :-)

George2 2009-02-15 16:36:41

Stupid question after reading -- is session information shared/accessable between different web apps under different virtual directories of the same IIS web site? Or shared between different web apps under different IIS web sites (may on different machine)? Or depends on in-proc/out-proc/SQL config?

George2 2009-02-15 11:43:33

It would have to be Out of proc... If it's different machines, then it would need to be SQL based.

Cerebrus 2009-02-15 11:49:15

1. Do you mean in-proc session could only be shared between the same web application in the same virtual directory?2. And out-proc session could be shared between different web apps on the same machine, even under different IIS web sites?

George2 2009-02-15 11:55:48

Hi driis, your idea is cool! I have one concern that is passing authentication token in querystring unsafe? I have this option because I feel something (URL + querystring) visible on IE is more prone to exposable and unsafe? Any comments?

George2 2009-02-15 11:47:25

In general yes, passing the authentication token in querystring is considered unsafe. But by using a challenge-response approach as I describe, it can be made safe. The challenge-response part ensures that you can be sure that the authentication token comes from your application and is valid.

driis 2009-02-15 11:49:30

I read your 4 step soluion again and got an issue, your solution authenticate application againtst each other, but in order to implement SSO, I want to authenticate user against an application. Is your solution related to my question?

George2 2009-02-15 11:51:53

"be sure that the authentication token comes from your application and is valid." -- I agree, but isn't expose authenticaion information in querystring unsafe? Suppose other could sniffer or hacking people could share the querystring with others to save cost to buy membership? :-)

George2 2009-02-15 11:54:10

The solution would depend on the user authenticating himself "as normal" on either of the applications. Then, when he accesses the other application, you could use the solution as described to check whether the current user is authenticated or not on the first application.

driis 2009-02-15 11:56:37

With regards to your comment about exposing authentication information - No, you would not expose the authentication information as in a password, if that is what you mean. The common shared key ensures that the authentication token can only be generated by someone who knows the key.

driis 2009-02-15 12:00:12

... and a replay attack is not possible since you start off with a different challenge (the random data) for each authentication attempt.

driis 2009-02-15 12:00:57

But authentication token is generated by secret key, exposing authentication token means exposing information about the secret and he/she by presenting the authentication token could pretend to be knowing the secret key, isn't it? :-)

George2 2009-02-15 12:04:12

Cool! "you start off with a different challenge (the random data) for each authentication attempt" -- do you suggest to pass authentication token in the form of SSL? I am concerning about using this token by multiple people for more than one times. how to avoid?

George2 2009-02-15 12:05:41

The important thing to remember is , that you are only exposing a hash value generated on the basis of the secret key, so you do not expose information about the secret key. A hash function is irreversible, and one of the cornerstones in cryptography. http://en.wikipedia.org/wiki/Hash_function

driis 2009-02-15 12:07:24

Passing query string is fine. But my question is how could I append query string before the user resirect to another site. Suppose my page contains a URL for another application, the URL is out of the control of the current application and user goes to destination application directly immediatelty.

George2 2009-02-15 12:46:13

So, in this situation, how could I append the query string just before jumps to another application? I can not predict when the user will jump. Any ideas or solutions? :-)

George2 2009-02-15 12:46:52

ansaurus

tags:

views:

answers:

redirect to another URL issue in ASP.Net

related questions