tags:

views:

147

answers:

1
+4  Q: 

Securely Transfer User from one ASP .NET App to Another

I have an ASP .NET web application which uses Forms Authentication. Let's call this application "Foo." I am creating another ASP .NET application called "Bar."

What I want to have happen is the user logs into Foo, then clicks a link which takes them to a page in the Bar application. The Bar application should not require the Foo user to log in again. The Foo app should pass the security ticket to the Bar app and then the user can go about his/her business inside the Bar app.

I also want to restrict access to the Bar app. So if a user tries to access the Bar app without first logging in, they are redirected to the Foo login page.

Is this possible? If so, how do I implement this?

+1  A: 

I did this once and it was between a PHP site and an ASP.NET site (me being the ASP.NET Developer but knowing some bits about PHP too).

If App1 is the entry point for the user(s) then at logon App1 should create a key-value pair for that user that consists of the username and a generated key (a GUID for example). Programatically it should communicate with App2 and send this key (for example launch a background thread). Let's say user JohnDoe logs in successfully on App1.

App1 generates a key (3l3kjlk3j4lkj34, JohnDoe) and sends it to App2 via some kind of communication (for example calls via HTTP an URL such as www.app2.com/SetTempKey.aspx?userId=JohnDoe&key=3l3kjlk3j4lkj34 - a page that would allow only requests from a certain IP for security reasons).

App2 will receive the temporary access key and store it. Let's say that App2 has the login page at www.app2.com/login.aspx.

In app1 you will generate a link to www.app2.com/login.aspx?tempKey=3l3kjlk3j4lkj34 with a decent label such as "Go to our app2". When the user clicks the link the login.aspx page on app2 is called. Checking the querystring for the presence of the tempKey querystring parameter and then checking the validity of the key in the temporary keys stored app2 finds that this REALLY is JohnDoe.

App2 logs him simply by calling FormsAuthentication.RedirectFromLoginPage("JohnDoe", true) (first the username and then if the formsAuth cookie should be persistent/not_session_lived).

... and that's pretty much it.

Andrei Rinea  2009-04-24 17:43:50
OK. I think this could work. How would you suggest forcing the key to expire? Would you store the expiration date in your temporary store and then validate against that when App2 checks the validity of the key? What do you think?
Brandon Montgomery  2009-04-24 18:52:00
A simple expiration policy is to store the keys in the Cache object and when inserting them you can set the expiration to either sliding or absolute expiration. (The Cache object is the HttpRuntime.Cache)
Andrei Rinea  2009-04-24 18:56:30
If you will need additional info you can contact me. On my profile you'll find my email address. Good luck!
Andrei Rinea  2009-04-27 19:02:44

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps