Solved

Using FormsAuthentication between two ASP.NET web applications

Posted on 2004-08-26
9
282 Views
Last Modified: 2012-06-27
I am adding functionality to an existing web application based on DotNetNuke, which uses FormsAuthentication for user authentication. One page I am working on allows the user to edit their personal settings such as name, address, e-mail details etc. They will also be able to edit their credit card details which are used for the recurring monthly payment for our website.

I want to put the "Edit Credit Card Details" page behind a secure connection. We have our main website (www.tacf.org) which hosts the main application. We also have another domain: secure.tacf.org which has a valid certificate for SSL. I have tried creating a second Web Application to run on the secure server, allowing the credit card related communication to be secure.

When I use Response.Redirect() from the first project to send the user to the second one, any checking of Request.IsAuthenticated returns false, even when the requests in the other application were authenticated. I realise this must be due to the fact that I am running two separate applications. The problem is that I don't want to force the user to log in a second time. The transition from open server to secure server should be fairly smooth and swift for the user.

How can I best allow the user to edit their credit card details behind ssl while keeping the rest of the website outside of the secure server?
0
Comment
Question by:tacf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 2

Expert Comment

by:eepdawg
ID: 11907572
The best way would be to put the entire site on the secure server.

If not then you need to create a cookie file for the secure domain from the non-secure domain.  then when the user gets to the secure page, check for cookies and authenticate autimatically if it exists.

if this does not make sense let me know and I will search for an example.
0
 
LVL 1

Author Comment

by:tacf
ID: 11907667
I don't want to put the whole thing on the secure server because it would really hit performance, as far as I can tell, and it'd be a pretty major operation. (My deadline is REALLY close, so I'm in a bit of a panic here!)

I believe that the first application creates a cookie when the user is authenticated so I can check for the existance of that cookie on the secure server. However, I don't know really how to extract the userid from that cookie so I can subsequently retrieve the username/password from the server to do the all important AuthenticateAndRedirectUser(username, password) command.
0
 
LVL 2

Expert Comment

by:eepdawg
ID: 11907870
This is super simple.  

Find where the cookie is created on the non-secure server.

then copy that code and paste it again in the same spot, except this time set the domain property to be secure.tacfg.org

see here: http://www.thescripts.com/serversidescripting/asp/articles/asptips/page1.html

now when a script on secure.tacfg.org looks for the info it will find it in its own cookie.
0
Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

 
LVL 1

Author Comment

by:tacf
ID: 11907936
I'll try this. There's one slight complication. The cookie that stores the user's data is specified in the web.config file:

    <authentication mode="Forms">
      <forms name=".DOTNETNUKE" protection="All" timeout="60" />
    </authentication>

I have confirmed this by changing the name in the quotes and noting that the name of the cookie changes. The cookie contains a single value which is a big long messy string like JKBWEBWEITBEIOWRBEOWIROIETN, probably encrypted or something like that. Is there a way of extracting the data from such a cookie?
0
 
LVL 1

Author Comment

by:tacf
ID: 11908159
I've found out some more info but I fear I'm heading towards a dead end.

1) The cookie that's created by the FormsAuthentication is called ".DOTNETNUKE" (as specified in the web.config file) and its value is a big nasty string.

2) I can extract the FormsAuthenticationTicket from this cookie:

Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(Request.Cookies(".DOTNETNUKE").Value)

3) I can then use ticket.Name to find the userID that matches the identity column of the [Users] table in my SQL Database.

There's only one problem with this, the FormsAuthentication.Decrypt() method fails when I run it in the other application. I get an exception:

System.Security.Cryptography.CryptographicException: Bad Data

Even though both of my web.config files have the same structure for authentication, the data contained in the cookie must specify the application it belongs to as a security measure. Maybe this technique is not the right way to do it.

At the very least, I have learned that the existance of a .DotNetNuke cookie means someone is logged in. That's at least a start.I just need to find a way of getting the userid.
0
 
LVL 4

Expert Comment

by:sgalzin
ID: 11911024
Hi all,

I do not know ASP so maybe this won't help much, but just in case here it is :
- once the user is authenticated, you could store that information on the server by saving (to a database for example) it's session ID (there must be a way of getting the browser session ID in ASP).
- when the user is on the nonsecure server, have the server-side scripts check the dtabase to see if a matching browser session ID is declared as authenticated.

From what I know, session IDs are attributed to the browser by the server in some unique way (another one of those big long gibberish strings), so if on one end a session ID is declared as authentic, the same session ID on the other end should be the same exact authenticated browser !

Hope that helps !

Stephane.
0
 
LVL 1

Expert Comment

by:Cart_man
ID: 11920170
Just try using a state server for your applications.

That way the cookies will still be valid between requests.

First thing you want to do is set the Mode attribut of the Sessionstate element to "StateServer":

<sessionState
            mode="InProc"

changes to

<sessionState
            mode="StateServer"

Set up a state server on the web server by starting the "ASP.NET Session Server" service.
Configure the StateConnectionString attribute so that it points to your state server.


To find out more:
http://www.eggheadcafe.com/articles/20021016.asp
0
 

Accepted Solution

by:
RomMod earned 0 total points
ID: 12411447
The question has been PAQ'd and the 500 points have been refunded.
RomMod
Community Support Moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question