Hi
We have an eCommerce site that was designed as a BusinessToBusiness system.
When anyone accesses a page, the site checks to see whether they have a
current session (i.e. already authenticated) and if not it redirects them to
the log-on page.
Recently, we added some BusinessToConsumer functionality. The same
authentication process described above applies, but when the unknown user
gets redirected to the logon page they see a button that allows them to log
on as the "anonymous user".
We have a corporate web site with a link on it to the eCommerce site's logon
page. This link contains a parameter which effectively mimics the clicking
of the "log on anonymously" button - the end result is that the user gets
logged on transparently, they never see the actual logon page.
Search engines have obviously followed this link from our corporate web site
and gained access into our eCommerce site. All the products can be found on
the search engines sites - which is good for the business2consumer side of
things. However, when one follows the link to a product from the search
engine site, one gets re-directed to the logon page because the
search-engine's session identifier is no longer valid (the session expired).
Ideally, I want people to find our products on the search engine's site and
go seamlessly to the product's details page, but need suggestions on how best
to achieve this.
I guess that if the user is not recognised, I could look at the forwarding
URL (Request.ServerVariables("HTTP_REFERER")) and if it's a known search
engine's site then try to automatically log them on....
Do you think that this a viable way forward, or is there a better way?
Ideally, I don't want to have to redesign the whole security model....
Thanks in advance
Griff
