tags:

views:

75

answers:

1
Q: 

Cross web domain login with .net membership

Hi all,

I currently have three websites all running from the same DB

example websites:

  • www.mysite.com
  • admin.mysite.com
  • members.mysite.com

now because this all runs from a single DB they all use the same .net Membership tables.

  • All members are in a role: Member
  • All Admins are in a role: Admin

So the admins can log into the admin site and access all their admin functions etc, but the members if they tried to log into the admin area are bounced back to the login screen without any message, what I want to happen is to redirect them to the site: members.mysite.com and have them logged in.

As I could send them to a page in the admin site that does a response.redirect('http://members.mysite.com'); but then they have to login again.

So is there any good way to do this, or am I left doing something unsecure and hacky with querystring?

A: 

Querystring is fine as long as you use a unique 'one time token' that gets deleted after it's used to perform the login (this is how Google does it).

EDIT - Basic procedure is

  1. Generate a cryptographically secure token
  2. Store token/username combo in database
  3. Redirect to new site with ?token=XXXXXXXXXXXXXXXX
  4. New site sees token, looks up matching username in database and deletes token
  5. Perform login procedure as that user
wefwfwefwe  2009-09-08 10:55:25
Any idea how to do this, as the way I would do it straight off the bat, would be to sent an encrypted version of the username and password, but that is really bad
JamesStuddart  2009-09-08 11:12:41
Great thanks, thought thats what you meant but wanted to make sure.
JamesStuddart  2009-09-08 11:44:46
Just thought i would leave a comment to say this is an excellent way of doing it and it works seamlessly, a few fiddly webservices but its all good, thanks
JamesStuddart  2010-01-05 14:59:34

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision