Issue using ASP.NET forms authenticationwith frame redirect

Discussion in 'ASP .Net Security' started by dpomt, Dec 9, 2007.

  1. dpomt

    dpomt Guest

    I am facing an issue using ASP.NET forms authentication.

    Scenario:
    Machine 1: http://subd1.provider1.com (1)
    Frame redirect to http://subd.provider2.com
    Machine 2: http://subd2.provider2.com (2)

    For both URLs, I am getting the login page.
    For (2), I could successfully login and the DestinationPageUrl is displayed
    right after.
    The problem is that for (1) after login the login page is displayed again
    instead of the DestinationPageUrl.

    I assume it has something to do with the frame redirect.

    If I first go to (2) and successfully login and later go to (1), it tells me
    I am already logged in and things work fine.

    I have already try to use session state mode 'StateServer' with no success.


    Any help would be greatly appreciated!
    Dieter
    dpomt, Dec 9, 2007
    #1
    1. Advertising

  2. Hi Dieter,

    I'm not very clear about your current configuration now, so I need to ask
    for some information first:

    1) Are you trying to achieve Single-Sign-On between different website
    domain? Usually the forms authentication cookie (if cookie is enabled) can
    be shared by domains subd1.domain.com and subd2.domain.com, but not between
    subd.domain1.com and subd.domain2.com.
    2) Do you mean that a page in the frameset is redirected to
    http://subd.provider2.com and you will be presented two login pages? Is the
    first login page also from domain provider2.com?
    3) Are you encrypting forms authentication ticket? If this is the case, you
    will need to make sure the machine key used between two websites are the
    same, they're auto-generated by default.

    Please see if following pages help:

    #Single Sign On across multiple ASP.NET applications > Developer's Corner -
    Resources for Developers > Knowledge Base
    http://www.developer-corner.com/Resources/KnowledgeBase/tabid/118/articleTyp
    e/ArticleView/articleId/23/Default.aspx


    #Hosting Multiple Web Applications
    http://msdn2.microsoft.com/en-us/library/aa302436.aspx


    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Dec 10, 2007
    #2
    1. Advertising

  3. dpomt

    dpomt Guest

    Hello Walter,

    thanks for your reply.
    Concerning your questions:
    1) no. The only thing I want is to use frame redirect to redirect a domain
    hosted at provider A to my server (that runs the website) at provide B.
    2) yes/yes
    3) don't matter since I have no ASP.NET web at provider A (see 1))


    Let me try to explain the issue more detailly:

    (1)
    http://subdomain.domain1.com/index.html
    <html>
    <head>
    </head>
    <frameset rows="100%">
    <frame src="http://subdomain.domain2.com/" frameborder="0"
    noresize="noresize"/>
    </frameset>
    </html>


    (2)
    http://subdomain.domain2.com/somepage.aspx

    In http://subdomain.domain2.com/web.config, there is forms authentication
    activated and somepage.aspx is secured:

    <location path="somepage.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>
    </location>




    When calling (2), http://subdomain.domain2.com/somepage.aspx triggers
    http://subdomain.domain2.com/login.aspx?ReturnUrl=/somepage.aspx. I then
    could enter my credentials and right after, the content of
    http://subdomain.domain2.com/somepage.aspx is displayed.

    When calling (1), I will also get the login.aspx from (2) (through the
    frame), but after entering my credentials, login.aspx is shown again and not
    - as expected - the content of http://subdomain.domain2.com/somepage.aspx (in
    the frame).


    Hope things are getting clearer now.


    ""Walter Wang [MSFT]"" wrote:

    > Hi Dieter,
    >
    > I'm not very clear about your current configuration now, so I need to ask
    > for some information first:
    >
    > 1) Are you trying to achieve Single-Sign-On between different website
    > domain? Usually the forms authentication cookie (if cookie is enabled) can
    > be shared by domains subd1.domain.com and subd2.domain.com, but not between
    > subd.domain1.com and subd.domain2.com.
    > 2) Do you mean that a page in the frameset is redirected to
    > http://subd.provider2.com and you will be presented two login pages? Is the
    > first login page also from domain provider2.com?
    > 3) Are you encrypting forms authentication ticket? If this is the case, you
    > will need to make sure the machine key used between two websites are the
    > same, they're auto-generated by default.
    >
    > Please see if following pages help:
    >
    > #Single Sign On across multiple ASP.NET applications > Developer's Corner -
    > Resources for Developers > Knowledge Base
    > http://www.developer-corner.com/Resources/KnowledgeBase/tabid/118/articleTyp
    > e/ArticleView/articleId/23/Default.aspx
    >
    >
    > #Hosting Multiple Web Applications
    > http://msdn2.microsoft.com/en-us/library/aa302436.aspx
    >
    >
    > Regards,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    dpomt, Dec 10, 2007
    #3
  4. Hi Dieter,

    Thanks for your detailed explanation. Now I have clearer picture of the
    issue.

    I believe this is because IE by default rejects cookies from a frame and
    ASP.NET Forms Authentication needs the cookie to be accepted at client-side
    to be considered as "logged in".

    Here's some explanation and possible workarounds:

    #ASP.NET Resources - Frames, ASPX Pages and Rejected Cookies
    http://aspnetresources.com/blog/frames_webforms_and_rejected_cookies.aspx

    I think the simplest workaround will be to prevent your login page from
    putting in a frameset by using javascript below:

    <script type="text/javascript">
    if (top != self)
    top.location.href = location.href;
    </script>


    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Dec 11, 2007
    #4
  5. dpomt

    dpomt Guest

    Walter,

    thanks a lot for your explanation. This makes sense and I now do understand
    why the frame redirect does not work for me with ASP.NET authentication.

    > I think the simplest workaround will be to prevent your login page from
    > putting in a frameset by using javascript below:
    > ...

    This is no option for me since the only reason I am using frame redirect is
    to see domain1 in the browser address bar instead of domain2.

    I guess the only possibility for me will be to move the domain1 to the
    provider that also hosts domain2.

    Thanks again and best regards
    Dieter

    ""Walter Wang [MSFT]"" wrote:

    > Hi Dieter,
    >
    > Thanks for your detailed explanation. Now I have clearer picture of the
    > issue.
    >
    > I believe this is because IE by default rejects cookies from a frame and
    > ASP.NET Forms Authentication needs the cookie to be accepted at client-side
    > to be considered as "logged in".
    >
    > Here's some explanation and possible workarounds:
    >
    > #ASP.NET Resources - Frames, ASPX Pages and Rejected Cookies
    > http://aspnetresources.com/blog/frames_webforms_and_rejected_cookies.aspx
    >
    > I think the simplest workaround will be to prevent your login page from
    > putting in a frameset by using javascript below:
    >
    > <script type="text/javascript">
    > if (top != self)
    > top.location.href = location.href;
    > </script>
    >
    >
    > Regards,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    dpomt, Dec 12, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    462
  2. Sal
    Replies:
    1
    Views:
    373
  3. Zalek Bloom
    Replies:
    1
    Views:
    202
    Aaron Bertrand - MVP
    Sep 23, 2003
  4. Kathryn
    Replies:
    4
    Views:
    316
  5. Aaron C
    Replies:
    2
    Views:
    186
    Dr J R Stockton
    Nov 21, 2009
Loading...

Share This Page