Use asp.net web apps login for a second asp.net web app

[dev648237923]

We have an asp.net web application that uses Forms Authentication. We need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!

 

[Guest]

If you set the EnableCrossAppRedirects property to true in your
web.config(s), and both applications have identical machineKey elements (you
cannot use "autogenerate") then it should work.
Peter


Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net

 

[dev648237923]

That's great -- thank you!

I noticed an important security note when I looked into this so I'll post
here for any others who see this:
Setting the EnableCrossAppRedirects property to true to allow
cross-application redirects is a potential security threat. When
cross-application redirects are allowed, your site is vulnerable to
malicious Web sites that use your login page to convince your Web site users
that they are using a secure page on your site. To improve security when
using cross-application redirects, you should override the
RedirectFromLoginPage method to allow redirects only to approved Web sites.
(ref.: http://msdn2.microsoft.com/en-us/library/1f5z1yty(VS.80).aspx)

 

[Steven Cheng[MSFT]]

Hello dev648237923,

The security warning you saw about the "EnableCrossAppRedirects" setting is
due to the consideration of some potential malicious sites(unexpected
sites) who will send redirection to your page. Actually, the
"EnableCrossAppRedirects" will be only checked when you call
"FormsAuthentication.RedirectFromLoginPage" or "GetRedirectUrl" methods(if
not enable, you can not use the two methods to redirect to/or get redirect
path of other remote application).

Therefore, you can actually disable this setting if you do not have to call
the above two methods. For example, you can let your cross application
always pass a certain security identifier in the querystring when redirect
unauthenticated users to the login application's login.aspx. Thus, the
login page can use the querystring value(or from cookie). And after
authenticated the user, you can simply call
"FormsAuthentication.SetAuthCookie" to set the authentication ticket and
manually use Response.Redirect to forward the user to the original
site(suppose there are only limited applications that can share the same
central login application)

here are some other resources on configuring machine key and cross
application forms authentication:


#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx

#Single sign-on across multiple applications in ASP.NET
http://www.codeproject.com/aspnet/aspnetsinglesignon.asp

Hope also helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.