Quite a few months back, I was able to create a single sign on app for all
apps on a single box (perhaps a domain, but never tested) by setting the
auth cookie name to an identical value:
<authentication mode="Forms">
<forms name="SingleSignOn" loginUrl="login.aspx">
</authentication
I could then surf from app to app on the same box and the cookie, named the
same, would allow me to bypass the logon form. I currently have an app in
Framework 1.1, and I get the following:
Default cookie - log into each app, each time, when I bounce from app to app
Cookies with same name - same behavior
Cookies with diff name - log in once to each app, can then surf back and
forth
The actual test code is as follows:
web.config
----
<authentication mode="Forms">
<forms name="test1" loginUrl="login.aspx" timeout="30"
slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">
<user name="Joe" password="password" />
</credentials>
</forms>
</authentication
<authorization>
<allow users="Joe" /> <!-- Allow all users -->
<deny users="?"></deny>
</authorization
Login.aspx
----
private void LoginButton_Click(object sender, System.EventArgs e)
{
if(FormsAuthentication.Authenticate(NameText.Text, PasswordText.Text))
{
Session["ID"] = Session.SessionID;
FormsAuthentication.RedirectFromLoginPage("Joe", false);
}
else
{
BadPasswordLabel.Text = "This is not a valid login.";
}
}
My thought is either
a) The methodology changed in Framework 1.1
b) I am missing something I had working before
At present, this is not a major issue, but it is something that is bugging
me.
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
************************************************** ********************
Think Outside the Box!
************************************************** ********************If you ever have a problem, post here and your brain will figure it out.
Here is the single sign on using Forms Authentication:
1. Set up the authentication section:
<authentication mode="Forms">
<forms name="test1" loginUrl="login.aspx" timeout="30"
slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">
<user name="Joe" password="password" />
</credentials>
</forms>
</authentication
In this case, the password is embedded, but it will actually pull from a
database outside of test.
2. Set up a machine key (this is the missing link in my app):
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A 487D9401E34
00267682B202B746511891C1BAF47F8D25C07F6C39A104696D B51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="3DES"
/
I nabbed this from a site on the web, but it could have just as easily have
been created. The problem is each application creates its own key, if one is
not specified. In my case, as I bounced from app to app, each app rewrote
the cookie, using its own key. Thus, each new hit on the app, after a hit on
another app, caused re-authentication, as it was reading garbage (wrong
key).
3. Set up app authorization to force logon:
<authorization>
<allow users="Joe" />
<deny users="?">
</authorization
4. Repeat for additional applications.
Now, I can bounce back and forth without problem.
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@.comcast.netNoSpamM> wrote in
message news:OrByFd8oDHA.2272@.tk2msftngp13.phx.gbl...
> Quite a few months back, I was able to create a single sign on app for all
> apps on a single box (perhaps a domain, but never tested) by setting the
> auth cookie name to an identical value:
> <authentication mode="Forms">
> <forms name="SingleSignOn" loginUrl="login.aspx">
> </authentication>
> I could then surf from app to app on the same box and the cookie, named
the
> same, would allow me to bypass the logon form. I currently have an app in
> Framework 1.1, and I get the following:
> Default cookie - log into each app, each time, when I bounce from app to
app
> Cookies with same name - same behavior
> Cookies with diff name - log in once to each app, can then surf back and
> forth
> The actual test code is as follows:
> web.config
> ----
> <authentication mode="Forms">
> <forms name="test1" loginUrl="login.aspx" timeout="30"
> slidingExpiration="true" path="/">
> <credentials passwordFormat="Clear">
> <user name="Joe" password="password" />
> </credentials>
> </forms>
> </authentication>
> <authorization>
> <allow users="Joe" /> <!-- Allow all users -->
> <deny users="?"></deny>
> </authorization>
> Login.aspx
> ----
> private void LoginButton_Click(object sender, System.EventArgs e)
> {
> if(FormsAuthentication.Authenticate(NameText.Text, PasswordText.Text))
> {
> Session["ID"] = Session.SessionID;
> FormsAuthentication.RedirectFromLoginPage("Joe", false);
> }
> else
> {
> BadPasswordLabel.Text = "This is not a valid login.";
> }
> }
> My thought is either
> a) The methodology changed in Framework 1.1
> b) I am missing something I had working before
> At present, this is not a major issue, but it is something that is bugging
> me.
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
> ************************************************** ********************
> Think Outside the Box!
> ************************************************** ********************
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment