Re: Forms Authentication Name property

From: Mike Moore [MSFT] (michmo@online.microsoft.com)
Date: 03/20/03 

From: michmo@online.microsoft.com ("Mike Moore [MSFT]")
Date: Thu, 20 Mar 2003 00:09:16 GMT

Hi Joe,

No, a given domain (www.mysite.com) does not need to be a single web
application. Various folders within that domain can be their own web
applications.

If www.mysite.com points to your web root directory, then you can have any
number of web applications within it that all use the same authentication
cookie name. Then folks can login once for all the applications.

For example, www.mysite.com/sales and www.mysite.com/purchasing could both
use a forms authentication cookie named "mysite".

What I was describing is if you have two separate domains. For example,
suppose the sales and purchasing web applications mentioned above had their
own domains: www.MySiteSales.com and www.MySitePurchasing.com. Then they
could not share a common login because the cookie would not be shared
across the domains.

Does this help?

Thank you, Mike Moore
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
>From: "Joe Reazor" <joenospam@belgor.com>
>References: <e6FHXXM6CHA.2384@TK2MSFTNGP09.phx.gbl>
<fIvNdaf6CHA.1532@cpmsftngxa08.phx.gbl>
<exfityi6CHA.2384@TK2MSFTNGP09.phx.gbl> <kPnyblp6CHA.1728@cpmsftngxa06>
<ehUkDJN7CHA.2396@TK2MSFTNGP10.phx.gbl> <tR3ds7Y7CHA.1456@cpmsftngxa06>
>Subject: Re: Forms Authentication Name property
>Date: Wed, 19 Mar 2003 16:35:58 -0500
>Lines: 135
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>Message-ID: <eVsqdAm7CHA.2364@TK2MSFTNGP12.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
>Path:
cpmsftngxa08.phx.gbl!cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>Xref: cpmsftngxa08.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:4475
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>So based on this fact would you then say that any one given domain (ie
>www.mysite.com) should be one single web app regardless of how many
>subfolders there are under this root site? That seems contrary to other
>things I remember reading from microsoft. Also, what if I want to have
>different authorizations schemes for some of the sub folders so that some
>were more secure then others, I wouldn't want my users to have to log in
>again?
>
>The end result is that while having security (authorization and
>authentication) integrated within .Net, I would really like to have a
>product that sat on top off .Net more like Site Server P&M did for ASP.
>There isn't a solution available like that is there?
>
>
>==============
>Joe Reazor
>Gorbel Inc.
>email: joereaATgorbelDOTcom
>
>""Mike Moore [MSFT]"" <michmo@online.microsoft.com> wrote in message
>news:tR3ds7Y7CHA.1456@cpmsftngxa06...
>> Hi Joe,
>>
>> It's tricky to have multiple web applications use the same login page
with
>> Forms Authentication.
>>
>> In the web.config, you specify the name to be used for the authentication
>> cookie. If you specify the same name for all your apps that use a central
>> login page, then this can work. Once they login to any of your web apps,
>> they will be logged into all of your web apps. If you want to use the
same
>> login page, but you only want them authenticated for some web apps, then
>> this will be a problem.
>>
>> Also, all the web apps must use the same "domain" as the login page.
Forms
>> authentication is based on cookies. A cookie is saved by the BROWSER and
>> sent to the server along with the request for a page. The BROWSER chooses
>> when to send cookies. The browser ONLY sends cookies to the "domain" from
>> which the browser received the cookies.
>>
>> Suppose you browse to http://MyLocalMachine/MyPage.aspx and that page
sets
>> a cookie. Next, you browse to http://localhost/MyPage.aspx. You might
>> expect for MyPage to receive the cookie that was set when you first
>browsed
>> the page. However, the domain "MyLocalMachine" is not the same as
>> "localhost". Therefore, your browser will not send the cookie it received
>> from "MyLocalMachine" to "localhost".
>>
>> This means that your web applications and your login page must all be
>> accessed with the same domain section of the URL.
>>
>> Lost of people get confused on this. So, I'm including more on this
below.
>> You can skip that part if you don't need it.
>>
>> Does this answer your question?
>>
>> ----
>> Additional explanation of how browsers only send cookies to the domain
>from
>> which it received the cookie.
>>
>> I can access a local page either by localhost or by machine name. If my
>> machine is named "abc", then I would use these addresses:
>> - http://abc/CookiePage.aspx
>> - http://localhost/CookiePage.aspx
>>
>> If CookiePage writes a cookie when I browse it via my machine name, that
>> cookie is stored by my browser as being a cookie associated with the abc
>> domain.
>>
>> If I then browse CookiePage using "localhost", my browser will NOT send
>the
>> cookie which it received when it was browsing the page via "abc".
>> Therefore, I don't know how it is that your browser is receiving a cookie
>> from xyz.net and then sending that cookie to abc.net.
>>
>> ---
>> Here is a sample to demonstrate.
>>
>> * Create a page named CookiePage.aspx in your root directory.
>>
>> * Add two hyperlinks to the page
>> - set the first one to http://abc/CookiePage.aspx
>> - set the second to http://localhost/CookiePage.aspx
>>
>> * Add a button to the page
>>
>> * Add this to the code-behind:
>>
>> Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
>> System.EventArgs) Handles MyBase.Load
>> Dim content As New System.Text.StringBuilder()
>> Dim loop1 As Integer
>> Dim arr1() As String
>> Dim MyCookie As HttpCookie
>>
>> arr1 = Request.Cookies.AllKeys
>> content.Append("<table><tr align=left><th>Cookie
>> Name</th><th>Value</th></tr>")
>> For loop1 = 0 To arr1.GetUpperBound(0)
>> MyCookie = Request.Cookies(arr1(loop1))
>> content.Append("<tr><td>" & MyCookie.Name & "</td><td>" &
>> MyCookie.Value & "</td><td></tr>")
>> Next loop1
>> content.Append("</table>")
>> Response.Write(content.ToString)
>> End Sub
>>
>> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
>> System.EventArgs) Handles Button1.Click
>> Dim MyCookie1 As New HttpCookie("Time", Now.ToString)
>> Response.Cookies.Add(MyCookie1)
>> End Sub
>>
>> ---
>> Next, browse the page and use the hyperlinks and the button to switch
>> between local host and machine name and to set cookies. When you click
the
>> button, you will not see the new cookie immediately because the loop
which
>> displays the cookies only shows cookies that the server just received
from
>> the browser. After you click the button to set the cookie, then click the
>> hyperlink to re-browse the page and see the cookie.
>>
>> You will notice that you get a different time stamp for localhost vs abc.
>> However, the time stamp for each one (abc or localhost) remains the same
>> unless you update it by pressing the button. This demonstrates that the
>> browser uses a separate cookie for each domain, in this case abc and
>> localhost.
>>
>> Thank you, Mike Moore
>> Microsoft, ASP.NET
>>
>> This posting is provided "AS IS", with no warranties, and confers no
>rights.
>>
>
>
>