Operational Services

Operational Services zorgt ervoor dat je website, portal of applicatie succesvol is en voorral ook blijft.

Homepage blog

Meer informatie over:

 
« Landingspagina’s voor een hogere ranking...
Facebook Insights – Interessante statist... »

.NET Single Sign-On Authentication

19

Mar

Using standard .NET functionality it is easy to share the authentication cookie accross several sites when using Forms Based Authentication, even if these applications reside on different servers. It requires some minor changes to the web.config and to the authentication code.

Applications must share the same base domain

The first requirement is that all applications need to share the same base domain. This is needed for the cookie to be accessible for each application. Examples of this are:

  • Will work:
    • somesite.com
    • other.somesite.com
    • another.somesite.com
  • Won't work:
    • somesite.com
    • othersite.com

This is not always possible for existing applications, but unfortunately it is required to achieve single sign-on using this functionality.

Update web.config settings

The second step is to ensure that the configuration for the authentication and the machineKey elements in web.config is the same for all applications. E.g.:

<authentication mode="Forms">
 <forms
  name=".LOGINFORM"
  path="/"
  defaultUrl="http://www.somesite.com/Default.aspx"
  loginUrl="http://www.somesite.com/Login.aspx"
  enableCrossAppRedirects="true" />
</authentication>

<machineKey
 validationKey="{replace with your validation key}"
 decryptionKey="{replace with your decription key}"
 validation="SHA1" />

It is necessary for these values to be the same across all applications. They must share the same machine key, cookie name, login page, etc., or it won't work. Also, don't set the validationKey and the decryptionKey to AutoGenerate - it must be a specific key and the same for all sites.

Code changes to ensure cookie domain

Now for the final part, some small code changes. It is important to make sure the proper cookie is created.

For sign in:

// sign in
FormsAuthentication.SetAuthCookie(username, false); 
HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, false);
cookie.Domain = "somesite.com";
HttpContext.Current.Response.AppendCookie(cookie);


When signing out you must make sure to expire the cookie, or else the user will stay signed in:

// sign out
FormsAuthentication.SignOut();
HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
cookie.Domain = "somesite.com";
cookie.Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.AppendCookie(cookie);


I left out try/catch, security checks, for brevity.

Conclusion

And that is it! It is easy to setup once you know the restrictions.

You can access the user information in your applications as you normally would, e.g. using User.Identity from a page context or with HttpContext.Current.User.Identity.

Update

There is an alternative option. Instead of updating the cookie programmatically as above, you can also set the domain for the cookie in your web.config.

Using the domain attribute of the forms element you can specify the base domain of your applications, e.g.:

<authentication mode="Forms">
 <forms
  name=".LOGINFORM"
  path="/"
  defaultUrl="http://www.somesite.com/Default.aspx"
  loginUrl="http://www.somesite.com/Login.aspx"
  enableCrossAppRedirects="true"
  domain="somesite.com" />
</authentication>

 

ASP.NET
Share:

Nuno Freitas schreef

Comments (0)

Nuno Freitas
Comments are closed.