Re: Forms Authentication: login page in a separate web app

From: Brad (nospam_at_co.lane.or.us)
Date: 11/25/03 

Date: Mon, 24 Nov 2003 19:55:54 -0800

Jim & Hari,
Here's the section from the book (and t's definitely worth having a hard
copy of this as I do)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
=================================================
Hosting Multiple Applications Using Forms Authentication

If you are hosting multiple Web applications that use Forms authentication
on the same Web server, it is possible for a user who is authenticated in
one application to make a request to another application without being
redirected to that application's logon page. The URL authorization rules
within the second application may deny access to the user, without providing
the opportunity to supply logon credentials using the logon form.
This only happens if the name and path attributes on the <forms> element are
the same across multiple applications and each application uses a common
<machineKey> element in Web.config.
=================================================

Is our case we have one web application that is our intranet portal. The
portal app has the login page and handles creating the forms
authenctication. All other web apps point to this one login page. When the
login is completed login page redirects back to the calling page...and now
the user is back in the web app which required the authenication. All
that's left for a web app to do is populate the app sepcific roles in the
authenication ticket and retreive the roles....which we do in common base
class for the global.asax. The portal app even manages the roles for all
of the other apps and serves them up to the other apps via a web service.

In the end all our web apps can implement the basic of common security with
very few lines of code.

Brad

"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:707$YVtsDHA.3444@cpmsftngxa07.phx.gbl...
> Brad,
>
> I'm not aware of any part of that book that indicates that you can point
> multiple applications to one login page. Maybe I'm not completely aware
of
> what Hari is asking about.
>
> Hari, if you want to have one login page for multiple applications, you
> can't do that. However, if you want to allow a user to login using a
login
> page and then have that login valid for other applications, that IS
> possible.
>
> The two do not accomplish the same thing. In the latter, it is assumed
> that a user will always log in to your application from one specific
> application. The scenario you originally described did not seem to relate
> to that requirement.
>
> Jim Cheshire, MCSE, MCSD [MSFT]
> Developer Support
> ASP.NET
> jamesche@online.microsoft.com
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------
> >From: "Brad" <nospam@co.lane.or.us>
> >References: <042201c3934f$14869690$a401280a@phx.gbl>
> >Subject: Re: Forms Authentication: login page in a separate web app
> >Date: Mon, 24 Nov 2003 11:04:38 -0800
> >Lines: 34
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Message-ID: <OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
> >Path:
>
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
> phx.gbl
> >Xref: cpmsftngxa07.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security:7659
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Hari - This is quite possible and in fact we're using it; our portal app
> >manages all logins for all apps. You should read up on how to do this
in
> >Building Secure Microsoft ASP.NET Applications
>
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
> tml/secnetlpMSDN.asp
> >
> >
> >
> >"Hari Menon" <anonymous@discussions.microsoft.com> wrote in message
> >news:042201c3934f$14869690$a401280a@phx.gbl...
> >> Hi,
> >>
> >> I would like to create a WebApp, say MySecurityProvider,
> >> that just contains a login page that knows how to
> >> authenticate a user. And I want other web apps, e.g.
> >> MyTestWebApp, that require authentication to point their
> >> loginUrl to the login page in my web app.
> >>
> >> Is that possible? I tried setting the loginUrl in
> >> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
> >> What happens is that the redirect to the login page
> >> succeeds and the login goes through as well and the
> >> cookie gets issued (I set the path to "/" in both the
> >> RedirectFromLoginPage() as well as in the <forms> tag).
> >> But the protected resource in MyTestWebApp still cannot
> >> be accessed. When I access an unprotected resource in
> >> MyTestWebApp and check the cookies that are set, I do see
> >> that the auth cookie IS there. But somehow I do not seem
> >> to be able to access the protected resource on
> >> MyTestWebApp - it always redirects me to the login page.
> >>
> >> Am I doing something wrong or is this not supposed to
> >> work?
> >
> >
> >
>

Relevant Pages

  • Authentication Sharing Across Apps
    ... For my part "B" question that I had (Login App was not returning ... authentication to calling app), I found the solution. ... Basically, in both the Login App and Calling App Web.Config, I did ... authenticated connection with SQL server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: QuickLaunch disappears
    ... I checked the login registery and I am pointing to the corrrect .exe. ... started and App, it crashed and sent a dump to Microsoft (this ... Documents and Settings I see "Lori Csontos" along with a "Lori". ...
    (microsoft.public.windowsxp.general)
  • Re: Session object timout
    ... > specifying your OS and IIS level, but the phenomenon may be caused by the ... > app is running in. ... >> users must go through a login page. ... >> recreating the session object which holds the class I mentioned above. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Permit only one network logon per user
    ... You app is controlling its listener and allowing/disallowing the ... allow a second connection to it using the same creds. ... multiple simultaneous logons with the same username and password ... If user username try to login from a different machine, ...
    (microsoft.public.windows.server.security)
  • Re: Session object timout
    ... Aside from the fact that I kind of like an application timing out for security ... setting of the Application Pool that your ASP.NET app is running in. ... Application pool was introduced in Windows 2003 with IIS 6.0, ... > users must go through a login page. ...
    (microsoft.public.dotnet.framework.aspnet)