470,594 Members | 1,222 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,594 developers. It's quick & easy.

Use asp.net web apps login for a second asp.net web app

We have an asp.net web application that uses Forms Authentication. We need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!
Feb 8 '07 #1
3 6341
If you set the EnableCrossAppRedirects property to true in your
web.config(s), and both applications have identical machineKey elements (you
cannot use "autogenerate") then it should work.
Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"dev648237923" wrote:
We have an asp.net web application that uses Forms Authentication. We need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!
Feb 8 '07 #2
That's great -- thank you!

I noticed an important security note when I looked into this so I'll post
here for any others who see this:
Setting the EnableCrossAppRedirects property to true to allow
cross-application redirects is a potential security threat. When
cross-application redirects are allowed, your site is vulnerable to
malicious Web sites that use your login page to convince your Web site users
that they are using a secure page on your site. To improve security when
using cross-application redirects, you should override the
RedirectFromLoginPage method to allow redirects only to approved Web sites.
(ref.: http://msdn2.microsoft.com/en-us/lib...ty(VS.80).aspx)

"Peter Bromberg [C# MVP]" <pb*******@yahoo.yabbadabbadoo.comwrote in
message news:38**********************************@microsof t.com...
If you set the EnableCrossAppRedirects property to true in your
web.config(s), and both applications have identical machineKey elements
(you
cannot use "autogenerate") then it should work.
Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"dev648237923" wrote:
>We have an asp.net web application that uses Forms Authentication. We
need
to launch a second application from links in this app. We don't want the
user to have to also login to this second app. Is there a way to let the
second app know that we are authenticated on the first app. I thought
about
just using the http_referrer and saying the second app can not launch
anywhere except from the links on the first app but its too easily
spoofed.
I'd love to be able to somehow see the auth ticket from the first app or
something like that.

Thank you for any ideas!

Feb 8 '07 #3
Hello dev648237923,

The security warning you saw about the "EnableCrossAppRedirects" setting is
due to the consideration of some potential malicious sites(unexpected
sites) who will send redirection to your page. Actually, the
"EnableCrossAppRedirects" will be only checked when you call
"FormsAuthentication.RedirectFromLoginPage" or "GetRedirectUrl" methods(if
not enable, you can not use the two methods to redirect to/or get redirect
path of other remote application).

Therefore, you can actually disable this setting if you do not have to call
the above two methods. For example, you can let your cross application
always pass a certain security identifier in the querystring when redirect
unauthenticated users to the login application's login.aspx. Thus, the
login page can use the querystring value(or from cookie). And after
authenticated the user, you can simply call
"FormsAuthentication.SetAuthCookie" to set the authentication ticket and
manually use Response.Redirect to forward the user to the original
site(suppose there are only limited applications that can share the same
central login application)

here are some other resources on configuring machine key and cross
application forms authentication:
#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx

#Single sign-on across multiple applications in ASP.NET
http://www.codeproject.com/aspnet/as...nglesignon.asp

Hope also helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
Feb 9 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

19 posts views Thread by Siobhan | last post: by
reply views Thread by PolarBears | last post: by
5 posts views Thread by darrel | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.