For the most part, ASP.NET applications security is configured in the
web.config and declared in several locations throughout the file.
The page declaration for example is where you would set support for
cookieless authentication which results in the Session ID being written into
the URL of the page. Showing the Session ID in the URL doesn't sit well with
me and we have to take an extra step to learn to encode or encrypt that
value if we really want to expect a reasonbly well defended attack surface.
And yes, it is not only possible to write a single form which may be used to
authenticate multiple web applications it has become incredibly simple. I
mean simple as in something like six steps. That's -- after -- the
web.config file is written to enable the use of the ASP.NET 2.0 Membership,
Roles and Profiles which function together systematically and which is how
you can use that single form to authenticate across application boundaries.
Its all about your mastery of OO principles which IMO are best applied using
C#.
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL
http://clintongallagher.metromilwaukee.com/
<ti*********@gmail.com> wrote in message
news:11**********************@e56g2000cwe.googlegr oups.com...
I am wondering how create a security framework for all our web
application. Is it possible to create a single forms authenication
(cookieless) setting for multiple web applications and web config
files. For example, I want the security web site on our webserver to
serve as a portal for other sites on our server. Example:
www.myFirstWebApp.com
web.config <forms loginUrl="www.myCentralLogin.com/login.aspx ">
www.mySecondWebApp.com
web.config <forms loginUrl="www.myCentralLogin.com/login.aspx ">
Both sites would authenticate using the centrol login web site. Is
this possible if the websites are in different virtual directories or
possiblily different web servers?
Thanks