Re: Forms Authentication: login page in a separate web app

From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: 11/25/03

• Next message: Cowboy \(Gregory A. Beamer\): "Re: How secure are appsettings in web.config?"
• Previous message: Tim Wood: "How secure are appsettings in web.config?"
• In reply to: Brad: "Re: Forms Authentication: login page in a separate web app"
• Next in thread: Brad: "Re: Forms Authentication: login page in a separate web app"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 25 Nov 2003 15:14:22 GMT

Brad,

This is referring to the same thing that I said in my last post. It is
possible to share a FormsAuthenticationTicket between applications.
However, what Hari asked is how to have all applications point back to a
single login page. That is a different scenario.

Suppose you have three applications; AppA, AppB, and AppC. You use the
method of making sure that <machineKey> settings are identical for each
application and you have removed the isolatedApps attribute in the
machine.config if running 1.1. It is still going to use the loginURL for
the application you are accessing on first browse. It will still now allow
you to have, for example, AppA and AppB redirect to AppC's login page.

As per my post yesterday to Hari, if the goal here is to share
authentication between Forms Authentication applications, that is easy to
implement. If the goal is to share one single login page for all
applications, that is not possible.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
jamesche@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: "Brad" <nospam@co.lane.or.us>
>References: <042201c3934f$14869690$a401280a@phx.gbl>
<OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>
<707$YVtsDHA.3444@cpmsftngxa07.phx.gbl>
>Subject: Re: Forms Authentication: login page in a separate web app
>Date: Mon, 24 Nov 2003 19:55:54 -0800
>Lines: 125
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <eAahNgwsDHA.2136@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: dialup-ras16-220.eug.or.uspops.net 64.28.52.220
>Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.
phx.gbl
>Xref: cpmsftngxa07.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:7669
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Jim & Hari,
>Here's the section from the book (and t's definitely worth having a hard
>copy of this as I do)
>
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch08.asp
>=================================================
>Hosting Multiple Applications Using Forms Authentication
>
>If you are hosting multiple Web applications that use Forms authentication
>on the same Web server, it is possible for a user who is authenticated in
>one application to make a request to another application without being
>redirected to that application's logon page. The URL authorization rules
>within the second application may deny access to the user, without
providing
>the opportunity to supply logon credentials using the logon form.
>This only happens if the name and path attributes on the <forms> element
are
>the same across multiple applications and each application uses a common
><machineKey> element in Web.config.
>=================================================
>
>Is our case we have one web application that is our intranet portal. The
>portal app has the login page and handles creating the forms
>authenctication. All other web apps point to this one login page. When
the
>login is completed login page redirects back to the calling page...and now
>the user is back in the web app which required the authenication. All
>that's left for a web app to do is populate the app sepcific roles in the
>authenication ticket and retreive the roles....which we do in common base
>class for the global.asax. The portal app even manages the roles for all
>of the other apps and serves them up to the other apps via a web service.
>
>In the end all our web apps can implement the basic of common security
with
>very few lines of code.
>
>Brad
>
>
>
>"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
>news:707$YVtsDHA.3444@cpmsftngxa07.phx.gbl...
>> Brad,
>>
>> I'm not aware of any part of that book that indicates that you can point
>> multiple applications to one login page. Maybe I'm not completely aware
>of
>> what Hari is asking about.
>>
>> Hari, if you want to have one login page for multiple applications, you
>> can't do that. However, if you want to allow a user to login using a
>login
>> page and then have that login valid for other applications, that IS
>> possible.
>>
>> The two do not accomplish the same thing. In the latter, it is assumed
>> that a user will always log in to your application from one specific
>> application. The scenario you originally described did not seem to
relate
>> to that requirement.
>>
>> Jim Cheshire, MCSE, MCSD [MSFT]
>> Developer Support
>> ASP.NET
>> jamesche@online.microsoft.com
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>> --------------------
>> >From: "Brad" <nospam@co.lane.or.us>
>> >References: <042201c3934f$14869690$a401280a@phx.gbl>
>> >Subject: Re: Forms Authentication: login page in a separate web app
>> >Date: Mon, 24 Nov 2003 11:04:38 -0800
>> >Lines: 34
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Message-ID: <OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
>> >Path:
>>
>cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11

• Next message: Cowboy \(Gregory A. Beamer\): "Re: How secure are appsettings in web.config?"
• Previous message: Tim Wood: "How secure are appsettings in web.config?"
• In reply to: Brad: "Re: Forms Authentication: login page in a separate web app"
• Next in thread: Brad: "Re: Forms Authentication: login page in a separate web app"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: linux to unix ... becuase I only can login and use my applications. ... we can migrate our clients to linux. ... I have found that several SCO Unix text mode applications ... (alt.os.linux) Strange Startup Slow Networking Behavior ... I am recently experiencing a strange problem during startup on my system. ... Login begins and Windows ... Applications such as Word 2003, Word Pad, ... occurred in safe mode with networking as well. ... (microsoft.public.windowsxp.help_and_support) 1 login for 2 separate secure apps on the same server - is this possible? ... I have two secure applications that reside on the same server. ... able to login to the first application, then when I have found the ... all the necessary rights for that user. ... to make this object arrangement work between the two apps. ... (microsoft.public.dotnet.framework.aspnet.security) Re: [opensuse] openSUSE 10.3 and system maintenence processes ... applications are doing. ... This will disable online update from running every time you ... login and stop the automaitc refresh of all repositories. ... Depending on whether you use Beagle search index, ... (SuSE) Re: Security design questions ... >single user account that has ... >access to all the tables my applications will use. ... >At the login page have the user enter their login and password. ... >(really any other pre parsed .php file) ... (comp.lang.php)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint