I will try to ask this as simply as possible.
I have:
1) A central user database that mltiple applicaitons use.
2) A portal web applicaiton
3) 3-4 other webapplicaitons
When a user logs into the portal using forms authentication, there will be buttons for each application that user has access to. Here is the tricky part: when the user click on the button to go to an application, I want the user to automatically be authenticated using the credentials used to log into the portal. I dont want to use a query string for security reasons. Can anyone think of a way to do this? I cant.
Thanks,
Eric
See if you can use the FormsAuthenticationModule.Authenticate Event. This is a Global.asax event that must be namedFormsAuthentication_OnAuthenticate. You can use this event to customize cookie authentication (seen in a Global.asax.cs CodeBehind file with the signature 'protected void Application_AuthenticateRequest(object sender, EventArgs e)' when generated by VS.Net. Here is a code example showing how I am adding a 'string[]' containing which roles (fetched from Db) the user belong to, into the AuthenticationTicket after a User has succesfully logged on:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
//========================================================
// If the request is authenticated, get the roles from db
// and assign roles to the logged in user
//========================================================
if(Request.IsAuthenticated)
{
// Retrieve user's identity from context user
FormsIdentity ident = (FormsIdentity)Context.User.Identity;
// Retrieve roles from the authentication ticket userdata field
string[] roles = ident.Ticket.UserData.Split('|');
// If we didn't load the roles before, fetch them from DB
if(roles[0].Length == 0)
{
//Get the Customer/UserID
int UserID = int.Parse(User.Identity.Name);
// Now get all the roles that this User belongs to
SqlParameter parmID = new SqlParameter("@.UserID", UserID);
SqlDataReader rdr = SqlHelper.ExecuteReader(Autocorp.Data.DbAutocorp.Con, CommandType.StoredProcedure, "AC_GetUserRoles", parmID);
rdr.Read();
int rolesNo = (int)rdr[0];
roles = new string[rolesNo];
int i = 0;
rdr.NextResult();
while(rdr.Read())
{
roles![Idea [I]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tBrbJcLZcD2wzpLMXXE1HvQjeiGte3Uj8jARfgvMQklQG1Qa0-H-mFrZBkPtccOdr7H4yjuO6cppAAqh6zcgjkYjXFJ5iQUistOvZHJHpeOWiK5lxm0X4=s0-d)
i++;
}
rdr.Close();
// Store roles inside the Forms ticket.
FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(ident.Ticket.Version,
ident.Ticket.Name,
ident.Ticket.IssueDate,
ident.Ticket.Expiration,
ident.Ticket.IsPersistent,
string.Join("|", roles), // Custom info
ident.Ticket.CookiePath);
// Create the cookie.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(newticket));
authCookie.Path = FormsAuthentication.FormsCookiePath + "; HttpOnly; noScriptAccess";
authCookie.Secure = FormsAuthentication.RequireSSL;
// Limit the AuthCookie to last only for 30 days
if(newticket.IsPersistent)
authCookie.Expires = DateTime.Now.AddDays(30);
Context.Response.Cookies.Add(authCookie);
}
// Create principal and attach to user
Context.User = new System.Security.Principal.GenericPrincipal(ident, roles);
}
}
I'm not entirely sure you can transfer this info (in your case UID,PWD) to be extracted and used in another application, but it could be a good place to start.
Thanks Adec,
After some more searching I found the term for what I am trying to do is called passthrough authentication. It seems there isn't a standard way of doing it yet, but I did find some examples.
I apologize, I diddnt want to use a query string but I am now thinking it is okay becasue of an example that I believe is pretty bulletproof - and I dont have to worry about browsers not accepting cookies.
Here is the URL:
http://weblogs.asp.net/dr.netjes/archive/2005/04/28/404887.aspx
I think it will work nicely because all my appications are using the same database.
I could still use some help though. In the example on the above link, a token is created with the username and userhost address. This token is stored in SQL along with the unexcrypted values of username, user host address and a one minute window expiration time.
I am cueless on how to create the token. It is a guid, but im not sure how he gets from username and user host address to a guid token.
Btw - adec, I think your thinking is probably the best way to go, but I want to steer away from using cookies.
Any help is apreciated,
Thanks,
Eric
Nevermind, I figured out the follow up question.
Thanks,
Eric
0 comments:
Post a Comment