Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securely Transfer User from one ASP .NET App to Another

I have an ASP .NET web application which uses Forms Authentication. Let's call this application "Foo." I am creating another ASP .NET application called "Bar."

What I want to have happen is the user logs into Foo, then clicks a link which takes them to a page in the Bar application. The Bar application should not require the Foo user to log in again. The Foo app should pass the security ticket to the Bar app and then the user can go about his/her business inside the Bar app.

I also want to restrict access to the Bar app. So if a user tries to access the Bar app without first logging in, they are redirected to the Foo login page.

Is this possible? If so, how do I implement this?

like image 490
Brandon Montgomery Avatar asked Nov 05 '22 21:11

Brandon Montgomery


1 Answers

I did this once and it was between a PHP site and an ASP.NET site (me being the ASP.NET Developer but knowing some bits about PHP too).

If App1 is the entry point for the user(s) then at logon App1 should create a key-value pair for that user that consists of the username and a generated key (a GUID for example). Programatically it should communicate with App2 and send this key (for example launch a background thread). Let's say user JohnDoe logs in successfully on App1.

App1 generates a key (3l3kjlk3j4lkj34, JohnDoe) and sends it to App2 via some kind of communication (for example calls via HTTP an URL such as www.app2.com/SetTempKey.aspx?userId=JohnDoe&key=3l3kjlk3j4lkj34 - a page that would allow only requests from a certain IP for security reasons).

App2 will receive the temporary access key and store it. Let's say that App2 has the login page at www.app2.com/login.aspx.

In app1 you will generate a link to www.app2.com/login.aspx?tempKey=3l3kjlk3j4lkj34 with a decent label such as "Go to our app2". When the user clicks the link the login.aspx page on app2 is called. Checking the querystring for the presence of the tempKey querystring parameter and then checking the validity of the key in the temporary keys stored app2 finds that this REALLY is JohnDoe.

App2 logs him simply by calling FormsAuthentication.RedirectFromLoginPage("JohnDoe", true) (first the username and then if the formsAuth cookie should be persistent/not_session_lived).

... and that's pretty much it.

like image 85
Andrei Rînea Avatar answered Nov 14 '22 23:11

Andrei Rînea