Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Secure Sessions across multiple domains

Posted on 2005-04-26
31
Medium Priority
?
709 Views
Last Modified: 2012-06-21
Hello,

I have a problem with a single user logon option.  Currently we have two domains, www.ourdomain.com and www.theirdomain.com.  Users need to provide a username and password for both.  We are looking into setting up a single point of entry.  Once the users log into www.theirdomain.com a certificate of some sort should be passed if they go to access www.ourdomain.com  Currently it's a real pain having our customers and vendors login twice if they want to access two difference pieces of information.  www.theirdomain.com is an application that was developed by out outside company and they host it, we have access to some of the code.  The www.ourdomain.com is developed and hosted by us.  We can do whatever we want with the code.  Both of the site are written in ASP, hosted on IIS.  Any help would be much appreciated.

Thanks,
Tomasz
0
Comment
Question by:tomasz_k
  • 6
  • 5
  • 4
  • +4
25 Comments
 
LVL 14

Expert Comment

by:alimu
ID: 13873297
Hi tomasz_k,
Could you please clarify what it is you want to know?
thanks,
alimu.
0
 

Author Comment

by:tomasz_k
ID: 13875240
Clarification --- Imagine you login to www.dell.com in order to purchase a machine.  Then you want to track your order on www.fedex.com site and in order to do that, let's say, you need to log in again to www.fedex.com.  This would require you to login twice.  Well, Dell doesn't do that, you just login once and your authentication info gets "passed" somehow to the www.fedex.com site so no login is required.  I'm in the same situation. I have two seperate website and I need user authentication, ie, Session variables  and such to be passed from one to the other, how can I do that?

0
 
LVL 14

Expert Comment

by:alimu
ID: 13875279
are both of your websites in the same Active Directory domain?
how secure do you need it to be (is a username enough or do you need a password)?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:tomasz_k
ID: 13875312
They are not in the same active directory, one of the websites is being hosted by my company, the other is being hosted by an outside company.  I need people to login with a user name and password.
0
 
LVL 14

Expert Comment

by:alimu
ID: 13882927
ok - just to explain the delay, I tried to get one of the other experts in here to take a look and maybe give some tips but I'm not sure my message got to them.  I've only got one system setup this way and it's not secure on the remote end (i.e. technically anyone could send the same query out and get a result).
unless you have some sort of domain trust setup you're not going to be able to use domain authentication across 2 domains.
It sounds like you need to develop a web service.
As an example what we've done is run up a schedule checking application using soap toolkit that posts xml to define what data to collect, this goes from the internal site, to the external site, the SOAP listener on that end processes the request and feeds back the schedule via an xml return to the browser.  To secure it you could use certificates, IP restrictions between web servers and/or an encryption algorithm.

I'm not sure I'll be able to answer many questions on this because I'm not a developer.  
You can get the SOAP toolkit here: http://www.microsoft.com/downloads/details.aspx?FamilyId=C943C0DD-CEEC-4088-9753-86F052EC8450&displaylang=en
MS's resource for web services is here: http://msdn.microsoft.com/webservices/ , specifically look at the articles on the right hand side of screen under "essential information".
AJ.
0
 
LVL 37

Expert Comment

by:meverest
ID: 13884088
Hello,

is the logon IIS authentication or application based (ie login form etc).  If the former, then you can acheive the consistent authentication by setting the 'realm' for each web site to the same value.

(this article describes how to set the realm value http://www.windowsitpro.com/Web/Articles/ArticleID/26923/pg/3/3.html)

If it's application based, then you will need to have the application pass some token to the other site that identifies the logged in user.

Cheers.
0
 

Author Comment

by:tomasz_k
ID: 13888326
Meverest,

The authentication is form based, it gets checked against an SQL database.  I'm not sure what you mean by passing tokens.  I could send the username and password values over from one server to the next and get authenticated again, but I was wondering if there is a simpler way, for example to copy the session variable values somehow from one server to the next?????

Thanks.
0
 
LVL 37

Expert Comment

by:meverest
ID: 13899076
Hi,

yes, you can copy the session, but the mechanism varies between application languages.  this has become not an IIS issue any more, but a question for the relevant application language.  if it's an asp code, ask in the asp topic area, etc.

cheers.
0
 
LVL 37

Expert Comment

by:meverest
ID: 13899641
Hi Alimu,

the only problem with doing that is that 500 points in a different topic area may not be attractive to experts of the other area.  Since it is against policy to offer 500 points for the 'pointer' question, thet the expert cannot get any points in their 'home' topic area.

maybe there needs to be some reconsideration on that policy point?

Cheers.
0
 
LVL 14

Expert Comment

by:alimu
ID: 13917060
Hi tomasz_k,
is this resolved or do you still need assistance (see my earlier comment about a pointer question).
A.
0
 

Author Comment

by:tomasz_k
ID: 13917181
Hi alimu and Netminder

The issue is not resolved, and as for moving the question to a different topic area, I will relay on your suggestions.  I haven't posted enough questions to know what the best course of action is.  All I know is that I would like to get this resolved in the best possible matter, so anything you can recommend I will accept.  

Thank you.
0
 
LVL 15

Expert Comment

by:Eric AKA Netminder
ID: 13918442
tomasz_k,

Your problem starts with the inherently insecure nature of the Internet. You can't send a variable from one domain to another (such as login information or even the state of being logged in or not) from one domain to another securely; it will be exposed somewhere.

One way to do what you is to create a login page that logs you into both at the same time; you should be able to do this in ASP (don't ask me to write the code, but here's what needs to happen).

Create a login page. When the user clicks on the submit button, it sends the login information to BOTH domains at the same time, which creates the sessions. You'll essentially wind up opening two browser windows, because if you didn't, then the session wouldn't exist. It would be polite to offer your users a choice of sites to go to -- yours or the other one -- when they log in, but it isn't necessary. It's also a bit of a security risk, because someone might close the other window, thinking it's a popup ad. Log out of EE, and then close your browser and reopen it and come to EE; you'll see that there's usually a second window behind the EE one.

Here's how I would do it: When you want someone to be able to log into your site, and log into theirs at the same time, I would create a table that contains the logins and passwords for both. Then when someone logs into your site, the ASP page checks the table and sends the login/pw info for the other site to the other site. It would necessarily have to open the second browser window to do that -- but it should work.

From a security standpoint, I don't like it, but without knowing the nature of either site in terms of the sensitivity of information, it might not be a huge issue.

The other way would be to use a cookie, but I'm not certain that would work -- you'd probably have to get an ASP/javascript person in here to tell you -- because I don't know if there's a way to share a cookie between two domains securely. But even if you can, you face the same issues that you face above.

ep
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 750 total points
ID: 13924225
Hello,

just wanted to add that a cookie is no use in this situation because to set the cookie requires the browser to hit the web site to start with.

secondly, i am fairly certain that it is not possible to create a session on the second web site by log on from the first - once again, most session state is managed by setting a cookie in the browser containing the session identifier.  Once again, that cookie cannot be returned to a web site that it did not come from.

the only way to acheive a 'cross web site session' outcome is to pass the session identifier through other means, such as a url variable (www.site2.com/index.asp?sessionID=xxxxxx) or though form post of some hidden input field. (eg <input type=hidden name="sessionID" value="xxxxx">)

then what is required of the site2 application is to take that session id and turn it into a session key.  As i mentioned previously, that is an application specific mechanism and not an IIS configuration problem.  That is why I suggested to ask in ASP topic are for code advice.

Cheers.


0
 
LVL 15

Expert Comment

by:Eric AKA Netminder
ID: 13927442
Mike,

Good points. My suggestion made the assumption that the visitors had been to the site before -- meaning that the cookie would already be in place. But I definitely agree that this isn't an IIS issue -- maybe alimu or Netminder could send out a call for the ASP folks.

Best regards,

ep
0
 
LVL 19

Expert Comment

by:peh803
ID: 13927578
ASP expert checking in...

This looks a bit messy thus far :)

Can someone give a quick update as to what has been tried (if anything) thus far?

Does your form-based authentication use SSL?

Thanks,
Phil / peh803
0
 
LVL 2

Expert Comment

by:Odyssey122
ID: 13927666
why don't you just figure out how you can pass variables via querystring?  isn't that how affiliate sites and **** work....the company passes my info through the query string and the opposing page reads it and registers me or whatever...

Ody
0
 
LVL 19

Expert Comment

by:peh803
ID: 13927717
>>the company passes my info through the query string and the opposing page reads it and registers me or whatever...

I think we need to better understand what level of security is desired here .. is sensitive data (cc#'s, SSN's, etc.) available to authenticated users?  If so, you won't want to send authentication information around using a querystring, as was emphatically recommended by the previous poster.  

The title of this question is "Secure Sessions across multiple domains".  So my question is ... How secure does it need to be?

Thanks,
Phil / peh803
0
 
LVL 13

Accepted Solution

by:
davidlars99 earned 750 total points
ID: 13927933
you can try following, which sends requests to the server and I think (I'm not sure though) that after this as soon as you navigate to second domain it should identify you, remeber that you also have to authenticate user either by values sent thru "url" variable's query strings or just "Request.Form("txtUsername")" and Request.Form("txtPassword") sent by http://www.ourdomain.com/login.asp and POST method in WinHttp.WinHttpRequest.5.1

authentication must be done at same time, i.e. when you authenticate user in ourdomain.com it also has to be authenticated in theirdomain.com, and it will be good if you keep Session.TimeOut property same for both domain so that when sessions time out in one domain they don't stay in second


Dim url = "http://www.theirdomain.com/login.asp?username=uName?password=pwd"

Set myReq = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
myReq.Open("POST", url, false)
myReq.setRequestHeader("Accept-Language", "en-us")  ' --> or Request.ServerVariable("HTTP_ACCEPT_LANGUAGE")
myReq.setRequestHeader("Connection", "Keep-Alive")
myReq.setRequestHeader("Referer", "http://www.ourdomain.com/login.asp")
myReq.setRequestHeader("User-Agent", Request.ServerVariable("USER_AGENT")) ' --> or HTTP_USER_AGENT
myReq.setRequestHeader("Accept-Encoding", "gzip, deflate")  ' --> or Request.ServerVariable("HTTP_ACCEPT_ENCODING")
myReq.setRequestHeader("Cache-Control", "no-cache")
myReq.setRequestHeader("Cookie", "Username=" & Request.Form("txtUsername") & "; domain=.theirdomain.com;path=/;HTTPOnly= ;version=1")
myReq.setRequestHeader("Cookie", "Password=" & Request.Form("txtPassword") & "; domain=.theirdomain.com;path=/;HTTPOnly= ;version=1")
myReq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
myReq.setRequestHeader.Send(url)



if this solves you problem you should remember that authentication without SSL is a security risk and you must take it very seriously, if you do then consider doing it like this

Dim url = "https://www.theirdomain.com/login.asp?username=uName?password=pwd" '  --> note that it's not HTTP://
Set myReq = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
myReq.SetClientCertificate("LOCAL_MACHINE\Personal\My Middle-Tier Certificate")

and everything else will be the same, for more info about this read msdn documentation at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/iwinhttprequest_setclientcertificate.asp

there's also a slightly different way of doing this and that is, instead of "WinHttp.WinHttpRequest.5.1" you would use "MSXML2.ServerXMLHTTP.4.0" and instead of "SetClientCertificate" you would use "setOption" method like so and everything else would stay the same

Const SXH_OPTION_SELECT_CLIENT_SSL_CERT = 3

Dim url = "https://www.theirdomain.com/login.asp?username=uName?password=pwd" '  --> note that it's not HTTP://
Set myReq = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0")
myReq.SetOption(SXH_OPTION_SELECT_CLIENT_SSL_CERT, "certificateName")

[from msdn website]
SXH_OPTION_SELECT_CLIENT_SSL_CERT
By default, the value of this option is an empty string (""), which means pick the first certificate in the local store to send if the server requests a client certificate.

The SXH_OPTION_SELECT_CLIENT_SSL_CERT option is a string that lets you select which client certificate from the local store should be sent. You must set this option before calling the send method. The following example sets the client certificate option to request the client certificate named "MSXML":

shx.setOption(3, "MSXML")
[end]


however there was a bug in "MSXML2.ServerXMLHTTP" and I don't know if that bug was fixed in "MSXML2.ServerXMLHTTP.4.0", also remember that 4.0 version is not installed in any win 2000  so you need to install it from microsoft website! I heard that lots of bugs were fixed in the new version so I would strongly recommend to download and install it

[MSXML2.ServerXMLHTTP bug into]
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290899
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13927979
I can't test it so don't blame me  :)
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13928003
one more thing when you authenticate remember that this

myReq.setRequestHeader("Referer", "http://www.ourdomain.com/login.asp")

is a part of security and sould be checked in theirdomain/login.asp during the authentication

0
 

Author Comment

by:tomasz_k
ID: 13928599
Thanks for all the suggestions so far.  

A couple of you asked to clarify the level of security I'm looking for.  This information is not extra sensative, no credit card numbers or SSN.  But I also won't want the average joe blow to get in and see the information.  This site will hold all of our supplier releases, what they need to ship, to which location and such.  The market is very competative so we don't want the supplier to know what gets ordered from whom.

I like the idea of sending the username and password info between sides using form field, post the data back to a site in hidden forms.  And then recreate the session on the different site.  Seems easy to do, but how secure is this?  

Thanks once again for all the help so far.

Tomasz
0
 
LVL 19

Expert Comment

by:peh803
ID: 13928716
>>Seems easy to do, but how secure is this?  

Hence my question about security.  If you don't use SSL to secure your form posts, anyone can sniff the contents of the packets as they fly from client to server, which means they can get anything they want that you're passing.  However, since you're not using SSL, I'd say that this is currently *just as* secure as your current mode of forms authentication.  In fact, it's the same except for the fact that you're posting to a different server.

Does that answer your question?

Thanks,
Phil
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13929136
--> *just as* secure as your current mode of forms authentication...

peh803, how can you pass form values to the second domain without submitting the form..?

0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13929191
overall I think that *.*HttpRequest.x.x seems to be the way to go...
0
 

Author Comment

by:tomasz_k
ID: 14077337
Hi All,

The moderator is asking me to decide what to do with this question, well, I can't.  I have been taken off the project for a month or so and made to focus on a different one.  The question is still current, but I won't get to test any of the suggestions posted for a while.  I know it doesn't seem fair for the people that provided the input, but I don't want to delete the question or close it by just picking a random answer as well.  The best I can offer is, that I'll need to get this solved sooner or later, but currently it's not a priority.  If this is good enough for the Moderator then the question should stay, if not, I'll let him figure out what is the best course of action to take.

Tomasz
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question