Re: ASP 2.0 Membership API



Hi,

yes thats possible - besides the usual steps (syncing machine key and ticket name) - you have to put in extra work if the auth app and the real app are on different servers.

A big problem is that the returnURL query string parameter that is appended to the request to the login page is always relative. This means that if you try to access the application on www1.develop.com/App1, you get redirected to auth.develop.com. After successful authentication, you want to redirect back to the original application, but the returnURL parameter contains only /App1 as the URL. This is an approved bug by Microsoft and will be fixed in a later version. To work around that problem you have to add some plumbing to both applications.

The solution to that problem is adding a local login page to the application that does a manual redirect to the central authentication application. Just add an application setting to web.config to point to the URL of the central login page.

<appSettings>
<add key="LoginUrl" value="http://auth.aspnetsec.com/AuthApp/Login.aspx"; />
</appSettings>
The local login page reads that configuration value, constructs the return URL manually and does the redirect.


protected void Page_Load(object sender, EventArgs e)
{
string loginUrl = ConfigurationManager.AppSettings["LoginUrl"];
string hostname = Request.Url.DnsSafeHost;
string returnUrl = "http://"; + hostname + FormsAuthentication.GetRedirectUrl(string.Empty, false);

loginUrl = String.Format("{0}?ReturnUrl={1}", loginUrl, returnUrl);
Response.Redirect(loginUrl);
}

if all your servers are in a contiguous namespace you can use cookies:

The central login page in turn does the authentication, sets the cookie and redirects back to the original page.
protected void _btnLogin_Click(object sender, EventArgs e)
{
if (authenticate(_txtUsername.Text, _txtPassword.Text))
{
FormsAuthHelper.SetAuthCookie(_txtUsername.Text);
Response.Redirect(Request.QueryString["ReturnUrl"]);
}
else
_litMessage.Text = "Try again";
}


if not you have to use cookieless auth

This is possible by redirecting back using the following URL format: http://Server/App/default.aspx?TicketName=TicketValue.


protected void _btnLogin_Click(object sender, EventArgs e)
{
if (FormsAuthHelper.Authenticate(_txtUsername.Text, _txtPassword.Text))
{
Response.Redirect(String.Format("{0}?{1}={2}",
Request.QueryString["ReturnUrl"],
FormsAuthentication.FormsCookieName,
FormsAuthentication.GetAuthCookie(_txtUsername.Text, false).Value));
}
else
_litMessage.Text = "Try again";
}


In the local application you have to enable cookie-less Forms Authentication and allow authenticated users to come from external applications by setting the enableCrossAppRedirect attribute to ‘true’.
<authentication mode="Forms">
<forms enableCrossAppRedirects="true" cookieless="UseUri"/>
</authentication>


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I am wondering how create a security framework for all our web
application. Is it possible to create a single forms authenication
(cookieless) setting for multiple web applications and web config
files. For example, I want the security web site on our webserver to
serve as a portal for other sites on our server. Example:

www.myFirstWebApp.com
web.config <forms loginUrl="www.myCentralLogin.com/login.aspx ">
www.mySecondWebApp.com
web.config <forms loginUrl="www.myCentralLogin.com/login.aspx ">
Both sites would authenticate using the centrol login web site. Is
this possible if the websites are in different virtual directories or
possiblily different web servers?

Thanks



.



Relevant Pages

  • Re: Default.aspx - newbie Q`
    ... check and redirect to the ReturnURL or Selected.aspx depending on the case. ... > and replace it with something that takes then straight to the login page. ... >> Curt Christianson ... >>> authentication ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Default.aspx - newbie Q`
    ... check and redirect to the ReturnURL or Selected.aspx depending on the case. ... > and replace it with something that takes then straight to the login page. ... >> Curt Christianson ... >>> authentication ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Detecting Failed Authorization
    ... after every authentication request and before the user ... is redirected to any login page. ... > "Ken Dopierala Jr." ... >> 'Redirect where you want the user to go. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Response.Redirect with IE
    ... login page to another one after a successful login - Am I right? ... In that case, set the Authentication mode to "Forms" in Web.Config, set the ... You don't have to manually redirect, Forms Authentication will do it for you ... > From: Ken Dopierala Jr. ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
    ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
    (Full-Disclosure)