Re: ASP 2.0 Membership API



Hi,

yes thats possible - besides the usual steps (syncing machine key and ticket name) - you have to put in extra work if the auth app and the real app are on different servers.

A big problem is that the returnURL query string parameter that is appended to the request to the login page is always relative. This means that if you try to access the application on www1.develop.com/App1, you get redirected to auth.develop.com. After successful authentication, you want to redirect back to the original application, but the returnURL parameter contains only /App1 as the URL. This is an approved bug by Microsoft and will be fixed in a later version. To work around that problem you have to add some plumbing to both applications.

The solution to that problem is adding a local login page to the application that does a manual redirect to the central authentication application. Just add an application setting to web.config to point to the URL of the central login page.

<appSettings>
<add key="LoginUrl" value="http://auth.aspnetsec.com/AuthApp/Login.aspx"; />
</appSettings>
The local login page reads that configuration value, constructs the return URL manually and does the redirect.


protected void Page_Load(object sender, EventArgs e)
{
string loginUrl = ConfigurationManager.AppSettings["LoginUrl"];
string hostname = Request.Url.DnsSafeHost;
string returnUrl = "http://"; + hostname + FormsAuthentication.GetRedirectUrl(string.Empty, false);

loginUrl = String.Format("{0}?ReturnUrl={1}", loginUrl, returnUrl);
Response.Redirect(loginUrl);
}

if all your servers are in a contiguous namespace you can use cookies:

The central login page in turn does the authentication, sets the cookie and redirects back to the original page.
protected void _btnLogin_Click(object sender, EventArgs e)
{
if (authenticate(_txtUsername.Text, _txtPassword.Text))
{
FormsAuthHelper.SetAuthCookie(_txtUsername.Text);
Response.Redirect(Request.QueryString["ReturnUrl"]);
}
else
_litMessage.Text = "Try again";
}


if not you have to use cookieless auth

This is possible by redirecting back using the following URL format: http://Server/App/default.aspx?TicketName=TicketValue.


protected void _btnLogin_Click(object sender, EventArgs e)
{
if (FormsAuthHelper.Authenticate(_txtUsername.Text, _txtPassword.Text))
{
Response.Redirect(String.Format("{0}?{1}={2}",
Request.QueryString["ReturnUrl"],
FormsAuthentication.FormsCookieName,
FormsAuthentication.GetAuthCookie(_txtUsername.Text, false).Value));
}
else
_litMessage.Text = "Try again";
}


In the local application you have to enable cookie-less Forms Authentication and allow authenticated users to come from external applications by setting the enableCrossAppRedirect attribute to ‘true’.
<authentication mode="Forms">
<forms enableCrossAppRedirects="true" cookieless="UseUri"/>
</authentication>


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I am wondering how create a security framework for all our web
application. Is it possible to create a single forms authenication
(cookieless) setting for multiple web applications and web config
files. For example, I want the security web site on our webserver to
serve as a portal for other sites on our server. Example:

www.myFirstWebApp.com
web.config <forms loginUrl="www.myCentralLogin.com/login.aspx ">
www.mySecondWebApp.com
web.config <forms loginUrl="www.myCentralLogin.com/login.aspx ">
Both sites would authenticate using the centrol login web site. Is
this possible if the websites are in different virtual directories or
possiblily different web servers?

Thanks



.