Re: asp.net login contol using url redirect

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 07/20/05 

Date: Wed, 20 Jul 2005 05:09:00 -0700

Hello Rico,

so the login control is in a different application on your server??

the resulting authentication cookie is encrypted, with a key that is unique
for each application. So if LoginApp1 creates and encrypts the cookie MainApp
will not be able to decrypt the cookie again.

You can manually set the key used for enc/decyption and it has to be the
same for both apps.

Have a look at the machineKey section in machine/web.config. We have a tool
on our website which can generate you the necessary xml elements - just copy
that to all web.configs or machine.config if you want to have the same key
for all apps on the machine.
http://www.develop.com/technology/resourcedetail.aspx?id=78da5ca5-5079-4f8f-99c5-b080117ceac0

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello
>
> I have an asp.net website that uses the login control and a custom
> build
> membership provider. The site is running fine, but the problem is that
> i cannot use it in a frame from another site. When logging in the
> login
> screen just reapears. It will however give back a message if a wrong
> username/password combination is given.
> I could of course put the code on the site that uses the frame, but
> the
> component is to be used from several sites and I would really like to
> keep the code on one server to easially be able to upgrade the
> underlying pages.
> /rw
>

Relevant Pages

  • Re: error code 0x80072EFD
    ... [CallerId = AutomaticUpdates] ... cookie, reporting URL = ... the server with hr = 80072efd. ...
    (microsoft.public.windowsupdate)
  • Re: Login for access to certain pages or parts?
    ... I know roughly what an .htaccess file is and I have access to more than this on my own server, but not more on commercial servers that host various sites I have made or maintain. ... The successful login routine sets the cookie by testing to see if the password the user has entered matches the one in your database for that user. ... For pages that can be accessed by multiple groups, your authorize function could be passed a comma-delimited list of allowable groups for that page. ... // Authorizes user based on group, redirects if necessary. ...
    (alt.php)
  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • RE: Proof of Concept Tool on Web Application Security
    ... You are misreading the script fragment that you quoted. ... What that is intended to do is fetch an image from a server under your own ... and reacting when it sees a new cookie. ... But this require interaction of victim, ...
    (Pen-Test)
  • Re: Getting 12209 error on isa when server tries to connect to cookie enabled site. Xp workstation w
    ... What leads you to a conclusion that this problem is an ISA server related? ... We try to access a certain site which sets cookies by sending cookie ... 2.The conclusion is that when Cookie header is sent from the server to ...
    (microsoft.public.isa)