asp.net login contol using url redirect

[Rico Wind]

Hello

I have an asp.net website that uses the login control and a custom build
membership provider. The site is running fine, but the problem is that
i cannot use it in a frame from another site. When logging in the login
screen just reapears. It will however give back a message if a wrong
username/password combination is given.
I could of course put the code on the site that uses the frame, but the
component is to be used from several sites and I would really like to
keep the code on one server to easially be able to upgrade the
underlying pages.

/rw

 

[Dominick Baier [DevelopMentor]]

Hello Rico,

so the login control is in a different application on your server??

the resulting authentication cookie is encrypted, with a key that is unique
for each application. So if LoginApp1 creates and encrypts the cookie MainApp
will not be able to decrypt the cookie again.

You can manually set the key used for enc/decyption and it has to be the
same for both apps.

Have a look at the machineKey section in machine/web.config. We have a tool
on our website which can generate you the necessary xml elements - just copy
that to all web.configs or machine.config if you want to have the same key
for all apps on the machine.
http://www.develop.com/technology/resourcedetail.aspx?id=78da5ca5-5079-4f8f-99c5-b080117ceac0

 

[Rico Wind]

Hello Dominick and thank you for you answer but i think you
misunderstood my problem.

Hello Rico,

so the login control is in a different application on your server??

No the login is an integrated part of the application. The problem is
that if i open the site directly from xxx.xxx/application/login.aspx
it is functioning as expected, i.e., the user is logged in.
If however I include the site in a frame on another site, e.g.,
zzz.zzz/myframepage.html the login does not work. I expect that the
problem is that the cookie which is automaticaly created is connected to
the zzz.zzz domain and not the xxx.xxx domain, but I am not sure. And
even if I am right how do I work around this problem?
Note that the zzz.zzz domain does not use any information from the
xxx.xxx/application, the only thing is that it should be able to run
in a frame.

/rw

 

[Dominick Baier [DevelopMentor]]

Hello Rico,

ah ok -

yes - you are right. a cookie for www.domain1.com won't be sent to www.domain2.com

what you can get to work is that a cookie for xxx.domain.com will be sent
to yyy.domain.com e.g.

You have to manually issue the cookie and set the Domain property on the
HttpCookie class accordingly.

but from your requirements i assume that the complete domain name changes
- this is not supported (not ASP.NET's fault - it is a RFC)

 

[Rico Wind]

I finally solved the problem. The solution was very simple as asp.net
2.0 supports cookieless forms authentication by putting the
cookieless="UseUri" attribute in the forms tag in the web.config.

/rw

 

[Dominick Baier [DevelopMentor]]

Hello Rico,

ah - maybe you should mention the framework next time

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I finally solved the problem. The solution was very simple as asp.net
2.0 supports cookieless forms authentication by putting the
cookieless="UseUri" attribute in the forms tag in the web.config.

/rw

Hello Rico,

ah ok -
yes - you are right. a cookie for www.domain1.com won't be sent to
www.domain2.com
what you can get to work is that a cookie for xxx.domain.com will be
sent to yyy.domain.com e.g.

You have to manually issue the cookie and set the Domain property on
the HttpCookie class accordingly.

but from your requirements i assume that the complete domain name
changes - this is not supported (not ASP.NET's fault - it is a RFC)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hello Dominick and thank you for you answer but i think you
misunderstood my problem.

Dominick Baier [DevelopMentor] wrote:

Hello Rico,

so the login control is in a different application on your server??

No the login is an integrated part of the application. The problem
is
that if i open the site directly from xxx.xxx/application/login.aspx
it is functioning as expected, i.e., the user is logged in.
If however I include the site in a frame on another site, e.g.,
zzz.zzz/myframepage.html the login does not work. I expect that the
problem is that the cookie which is automaticaly created is
connected
to
the zzz.zzz domain and not the xxx.xxx domain, but I am not sure.
And
even if I am right how do I work around this problem?
Note that the zzz.zzz domain does not use any information from the
xxx.xxx/application, the only thing is that it should be able to run
in a frame.
/rw
the resulting authentication cookie is encrypted, with a key that
is unique for each application. So if LoginApp1 creates and
encrypts the cookie MainApp will not be able to decrypt the cookie
again.

You can manually set the key used for enc/decyption and it has to
be the same for both apps.

Have a look at the machineKey section in machine/web.config. We
have a tool on our website which can generate you the necessary xml
elements - just copy that to all web.configs or machine.config if
you want to have the same key for all apps on the machine.
http://www.develop.com/technology/resourcedetail.aspx?id=78da5ca5-5
07 9-4f8f-99c5-b080117ceac0

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello

I have an asp.net website that uses the login control and a custom
build
membership provider. The site is running fine, but the problem is
that
i cannot use it in a frame from another site. When logging in the
login
screen just reapears. It will however give back a message if a
wrong
username/password combination is given.
I could of course put the code on the site that uses the frame,
but
the
component is to be used from several sites and I would really like
to
keep the code on one server to easially be able to upgrade the
underlying pages.
/rw