Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Authentication across applications

Reply
Thread Tools

Forms Authentication across applications

 
 
Janaka
Guest
Posts: n/a
 
      05-10-2004
I've read the material on Forms Authentication and I've set this up for
several websites without any problems. Basically there's 2 applications for
each site.
1. The "www" application for the non-secure pages - http://www.domain.com
2. The "secure" application for sensitive pages like checkout, login,
tc - https://secure.domain.com

All sites follow this format. The application files are on physically
seperate machines.

Now the problem I'm having is that I'd like to use the Forms Authentication
cookie to see whether the user has been authenticated on my "www" pages.
However, it appears as if they haven't logged in. I had a look at the msdn
article to set up authentication across appplications
(
http://msdn.microsoft.com/library/de...redentials.asp )
but found the isolateApplications attribute doesn't exist??
As you can see this isn't stated on the <machineKey> reference either:
http://msdn.microsoft.com/library/de...keysection.asp

Has anyone gotten forms authentication to work between 2 applications? I'd
like to use SSL for my login page but it appears that won't work because the
first part of the domain is different?


 
Reply With Quote
 
 
 
 
Hernan de Lahitte
Guest
Posts: n/a
 
      05-10-2004
You might have a cookie persistence issue with the your cross domain
scenario. You have some good hints about this here:
http://www.codeproject.com/aspnet/as...nglesignon.asp.
About the SSL certificate issue, you should have a cert. for
secure.domain.com that is where your secure pages resides.
The "isolateApplications" is not an attribute, its a modifier to the
decryptionKey or validationKey attributes and the usage is as states on the
machine key help.

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1"/>
The isolateApps option is specified to generate unique keys for each
application on the server.Unfortunately, the sample of your first link is
wrong.-- Hernan de LahitteLagash Systems S.A.http://weblogs.asp.net/hernandl

This posting is provided "AS IS" with no warranties, and confers no rights.

"Janaka" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've read the material on Forms Authentication and I've set this up for
> several websites without any problems. Basically there's 2 applications

for
> each site.
> 1. The "www" application for the non-secure pages -

http://www.domain.com
> 2. The "secure" application for sensitive pages like checkout, login,
> tc - https://secure.domain.com
>
> All sites follow this format. The application files are on physically
> seperate machines.
>
> Now the problem I'm having is that I'd like to use the Forms

Authentication
> cookie to see whether the user has been authenticated on my "www" pages.
> However, it appears as if they haven't logged in. I had a look at the

msdn
> article to set up authentication across appplications
> (
>

http://msdn.microsoft.com/library/de...redentials.asp )
> but found the isolateApplications attribute doesn't exist??
> As you can see this isn't stated on the <machineKey> reference either:
>

http://msdn.microsoft.com/library/de...keysection.asp
>
> Has anyone gotten forms authentication to work between 2 applications?

I'd
> like to use SSL for my login page but it appears that won't work because

the
> first part of the domain is different?
>
>



 
Reply With Quote
 
 
 
 
Janaka
Guest
Posts: n/a
 
      05-10-2004
Thanks I'll give this a go and see how it turns out.
"Hernan de Lahitte" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You might have a cookie persistence issue with the your cross domain
> scenario. You have some good hints about this here:
> http://www.codeproject.com/aspnet/as...nglesignon.asp.
> About the SSL certificate issue, you should have a cert. for
> secure.domain.com that is where your secure pages resides.
> The "isolateApplications" is not an attribute, its a modifier to the
> decryptionKey or validationKey attributes and the usage is as states on

the
> machine key help.
>
> <machineKey validationKey="AutoGenerate,IsolateApps"
> decryptionKey="AutoGenerate,IsolateApps"
> validation="SHA1"/>
> The isolateApps option is specified to generate unique keys for each
> application on the server.Unfortunately, the sample of your first link is
> wrong.-- Hernan de LahitteLagash Systems

S.A.http://weblogs.asp.net/hernandl
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>
> "Janaka" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I've read the material on Forms Authentication and I've set this up for
> > several websites without any problems. Basically there's 2 applications

> for
> > each site.
> > 1. The "www" application for the non-secure pages -

> http://www.domain.com
> > 2. The "secure" application for sensitive pages like checkout, login,
> > tc - https://secure.domain.com
> >
> > All sites follow this format. The application files are on physically
> > seperate machines.
> >
> > Now the problem I'm having is that I'd like to use the Forms

> Authentication
> > cookie to see whether the user has been authenticated on my "www" pages.
> > However, it appears as if they haven't logged in. I had a look at the

> msdn
> > article to set up authentication across appplications
> > (
> >

>

http://msdn.microsoft.com/library/de...redentials.asp )
> > but found the isolateApplications attribute doesn't exist??
> > As you can see this isn't stated on the <machineKey> reference either:
> >

>

http://msdn.microsoft.com/library/de...keysection.asp
> >
> > Has anyone gotten forms authentication to work between 2 applications?

> I'd
> > like to use SSL for my login page but it appears that won't work because

> the
> > first part of the domain is different?
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
Forms Authentication Across Applications =?Utf-8?B?RmFyaWJh?= ASP .Net 4 05-16-2007 10:34 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Forms authentication across multiple applications and framework versions JC ASP .Net 1 11-05-2003 11:59 PM



Advertisments