Forms Authentication across applications

Discussion in 'ASP .Net Security' started by Janaka, May 10, 2004.

  1. Janaka

    Janaka Guest

    I've read the material on Forms Authentication and I've set this up for
    several websites without any problems. Basically there's 2 applications for
    each site.
    1. The "www" application for the non-secure pages - http://www.domain.com
    2. The "secure" application for sensitive pages like checkout, login,
    tc - https://secure.domain.com

    All sites follow this format. The application files are on physically
    seperate machines.

    Now the problem I'm having is that I'd like to use the Forms Authentication
    cookie to see whether the user has been authenticated on my "www" pages.
    However, it appears as if they haven't logged in. I had a look at the msdn
    article to set up authentication across appplications
    (
    http://msdn.microsoft.com/library/d.../html/cpconformsauthenticationcredentials.asp )
    but found the isolateApplications attribute doesn't exist??
    As you can see this isn't stated on the <machineKey> reference either:
    http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp

    Has anyone gotten forms authentication to work between 2 applications? I'd
    like to use SSL for my login page but it appears that won't work because the
    first part of the domain is different?
     
    Janaka, May 10, 2004
    #1
    1. Advertising

  2. You might have a cookie persistence issue with the your cross domain
    scenario. You have some good hints about this here:
    http://www.codeproject.com/aspnet/aspnetsinglesignon.asp.
    About the SSL certificate issue, you should have a cert. for
    secure.domain.com that is where your secure pages resides.
    The "isolateApplications" is not an attribute, its a modifier to the
    decryptionKey or validationKey attributes and the usage is as states on the
    machine key help.

    <machineKey validationKey="AutoGenerate,IsolateApps"
    decryptionKey="AutoGenerate,IsolateApps"
    validation="SHA1"/>
    The isolateApps option is specified to generate unique keys for each
    application on the server.Unfortunately, the sample of your first link is
    wrong.-- Hernan de LahitteLagash Systems S.A.http://weblogs.asp.net/hernandl

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Janaka" <> wrote in message
    news:...
    > I've read the material on Forms Authentication and I've set this up for
    > several websites without any problems. Basically there's 2 applications

    for
    > each site.
    > 1. The "www" application for the non-secure pages -

    http://www.domain.com
    > 2. The "secure" application for sensitive pages like checkout, login,
    > tc - https://secure.domain.com
    >
    > All sites follow this format. The application files are on physically
    > seperate machines.
    >
    > Now the problem I'm having is that I'd like to use the Forms

    Authentication
    > cookie to see whether the user has been authenticated on my "www" pages.
    > However, it appears as if they haven't logged in. I had a look at the

    msdn
    > article to set up authentication across appplications
    > (
    >

    http://msdn.microsoft.com/library/d.../html/cpconformsauthenticationcredentials.asp )
    > but found the isolateApplications attribute doesn't exist??
    > As you can see this isn't stated on the <machineKey> reference either:
    >

    http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp
    >
    > Has anyone gotten forms authentication to work between 2 applications?

    I'd
    > like to use SSL for my login page but it appears that won't work because

    the
    > first part of the domain is different?
    >
    >
     
    Hernan de Lahitte, May 10, 2004
    #2
    1. Advertising

  3. Janaka

    Janaka Guest

    Thanks I'll give this a go and see how it turns out.
    "Hernan de Lahitte" <> wrote in message
    news:...
    > You might have a cookie persistence issue with the your cross domain
    > scenario. You have some good hints about this here:
    > http://www.codeproject.com/aspnet/aspnetsinglesignon.asp.
    > About the SSL certificate issue, you should have a cert. for
    > secure.domain.com that is where your secure pages resides.
    > The "isolateApplications" is not an attribute, its a modifier to the
    > decryptionKey or validationKey attributes and the usage is as states on

    the
    > machine key help.
    >
    > <machineKey validationKey="AutoGenerate,IsolateApps"
    > decryptionKey="AutoGenerate,IsolateApps"
    > validation="SHA1"/>
    > The isolateApps option is specified to generate unique keys for each
    > application on the server.Unfortunately, the sample of your first link is
    > wrong.-- Hernan de LahitteLagash Systems

    S.A.http://weblogs.asp.net/hernandl
    >
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    > "Janaka" <> wrote in message
    > news:...
    > > I've read the material on Forms Authentication and I've set this up for
    > > several websites without any problems. Basically there's 2 applications

    > for
    > > each site.
    > > 1. The "www" application for the non-secure pages -

    > http://www.domain.com
    > > 2. The "secure" application for sensitive pages like checkout, login,
    > > tc - https://secure.domain.com
    > >
    > > All sites follow this format. The application files are on physically
    > > seperate machines.
    > >
    > > Now the problem I'm having is that I'd like to use the Forms

    > Authentication
    > > cookie to see whether the user has been authenticated on my "www" pages.
    > > However, it appears as if they haven't logged in. I had a look at the

    > msdn
    > > article to set up authentication across appplications
    > > (
    > >

    >

    http://msdn.microsoft.com/library/d.../html/cpconformsauthenticationcredentials.asp )
    > > but found the isolateApplications attribute doesn't exist??
    > > As you can see this isn't stated on the <machineKey> reference either:
    > >

    >

    http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp
    > >
    > > Has anyone gotten forms authentication to work between 2 applications?

    > I'd
    > > like to use SSL for my login page but it appears that won't work because

    > the
    > > first part of the domain is different?
    > >
    > >

    >
    >
     
    Janaka, May 10, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JC
    Replies:
    1
    Views:
    564
  2. Eric
    Replies:
    2
    Views:
    1,528
    Tommy
    Feb 13, 2004
  3. Tod Birdsall, MCSD for .NET

    Sharing Authentication Across ASP.NET Applications

    Tod Birdsall, MCSD for .NET, Oct 14, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    806
    Tod Birdsall, MCSD for .NET
    Oct 19, 2005
  4. =?Utf-8?B?RmFyaWJh?=

    Forms Authentication Across Applications

    =?Utf-8?B?RmFyaWJh?=, May 16, 2007, in forum: ASP .Net
    Replies:
    4
    Views:
    384
    =?Utf-8?B?RmFyaWJh?=
    May 16, 2007
  5. Eric
    Replies:
    2
    Views:
    595
Loading...

Share This Page