473,714 Members | 4,906 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Use asp.net web apps login for a second asp.net web app

We have an asp.net web application that uses Forms Authentication. We need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!
Feb 8 '07 #1
3 6504
If you set the EnableCrossAppR edirects property to true in your
web.config(s), and both applications have identical machineKey elements (you
cannot use "autogenera te") then it should work.
Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"dev6482379 23" wrote:
We have an asp.net web application that uses Forms Authentication. We need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!
Feb 8 '07 #2
That's great -- thank you!

I noticed an important security note when I looked into this so I'll post
here for any others who see this:
Setting the EnableCrossAppR edirects property to true to allow
cross-application redirects is a potential security threat. When
cross-application redirects are allowed, your site is vulnerable to
malicious Web sites that use your login page to convince your Web site users
that they are using a secure page on your site. To improve security when
using cross-application redirects, you should override the
RedirectFromLog inPage method to allow redirects only to approved Web sites.
(ref.: http://msdn2.microsoft.com/en-us/lib...ty(VS.80).aspx)

"Peter Bromberg [C# MVP]" <pb*******@yaho o.yabbadabbadoo .comwrote in
message news:38******** *************** ***********@mic rosoft.com...
If you set the EnableCrossAppR edirects property to true in your
web.config(s), and both applications have identical machineKey elements
(you
cannot use "autogenera te") then it should work.
Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"dev6482379 23" wrote:
>We have an asp.net web application that uses Forms Authentication. We
need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought
about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily
spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!

Feb 8 '07 #3
Hello dev648237923,

The security warning you saw about the "EnableCrossApp Redirects" setting is
due to the consideration of some potential malicious sites(unexpecte d
sites) who will send redirection to your page. Actually, the
"EnableCrossApp Redirects" will be only checked when you call
"FormsAuthentic ation.RedirectF romLoginPage" or "GetRedirectUrl " methods(if
not enable, you can not use the two methods to redirect to/or get redirect
path of other remote application).

Therefore, you can actually disable this setting if you do not have to call
the above two methods. For example, you can let your cross application
always pass a certain security identifier in the querystring when redirect
unauthenticated users to the login application's login.aspx. Thus, the
login page can use the querystring value(or from cookie). And after
authenticated the user, you can simply call
"FormsAuthentic ation.SetAuthCo okie" to set the authentication ticket and
manually use Response.Redire ct to forward the user to the original
site(suppose there are only limited applications that can share the same
central login application)

here are some other resources on configuring machine key and cross
application forms authentication:
#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx

#Single sign-on across multiple applications in ASP.NET
http://www.codeproject.com/aspnet/as...nglesignon.asp

Hope also helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
Feb 9 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

22
4841
by: owen | last post by:
I have been developing web-based applications for around 3 years, first using ASP, and more recently, ASP.NET. I am starting to wonder if web applications are really the way forward for software. And by 'software' I mean applications, (eg. word, excel) not web sites (eg. amazon.com). I am starting to think, with the .NET framework being shipped with new operating systems, and freely available online, that a better way forward is...
19
2538
by: Siobhan | last post by:
Hi What is the recommended way to store a user's database credentials across the pages of a web application so that each time the database is accessed the system doesn't have to ask them for their username and password again We have previously stored these in a session variable (encrypted) and retrieved from their - but are worried about the impact on performance if the number of users increases. Had thought about cookies but worried...
1
1043
by: X-Killer | last post by:
I've written a website with a login page which uses forms authentication against a username/password table. I've configured the web.config with forms authentication and with loginUrl="login.aspx" in web.config and doesn't accept anonymous login. The application runs normally as expected. However, when I change the loginUrl="https://somewhere.net/Apps/login.aspx", the famous grey 'Windows Login' box pops out instead of my login.aspx. It...
2
2907
by: pv | last post by:
Hi everyone, I need help with following scenario, please: Users are accessing same web server from intranet (users previously authenticated in Active Dir) and from extranet (common public users). If user is from intranet, web server should recognize it and application should create additional options in controls regarding groups the user belongs to. If user is from extranet it should be logged in as anonymous and a link to login page...
9
2568
by: dana lees | last post by:
Hello, I am developing a C# asp.net application. I am using the authentication and authorization mechanism, which its timeout is set to 60 minutes. My application consists of 2 frames - a header frame and a main frame. When i enter the application, i see the login screen on the whole screen, but when the authentication expires, the login screen appears on both frames.
0
994
by: PolarBears | last post by:
We have several ASPX 1.1 web applications that reference a Login.aspx page. Now groups and roles have been added to .NET 2.0. And we now have the new Visual Studio 2005. I am guessing that with the differences between the two ..NET versions that a 2.0 web app cannot reference a 1.1 Login.aspx page and vice versa. Right or wrong? Even if it could I think the new 2.0 web apps we would want to take advantage of roles and use a 2.0...
5
5129
by: djhexx | last post by:
Hi. We have an asp.net intranet application written in VB that uses forms authentication for all it's pages. I have a C# asp.net application that I just wrote. The company would like the C# application to authenticate using the same mechanism as the intranet app. Therefore...if I try to login to the c# app, it should redirect me to the intranet login. Once I pass authentication, I should be able to access the c# app. Now. Here is...
6
3357
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in the past in other places, and while the help was much appreciated, it seemed everyone just wanted to 'theoretically' explain how to do it, but when I tried to do it myself, I couldn't login. I want to simply pass the email address and password to...
5
1105
by: darrel | last post by:
This is an issue I brought up probably a year or so ago, got some advice, then was sidetracked on the project until now. So, here I am again. ;o) The situation is that we have an older chunk of code I've been tasked to maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago. It works. But we have one major issue and that's when people log in, maybe 5% of the time, the end up with someone elses credentials. There's...
0
8808
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9179
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9077
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9023
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6638
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5959
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4466
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4729
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3160
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.