Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Allow cross authentication between web applications

Posted on 2006-04-13
10
Medium Priority
?
346 Views
Last Modified: 2012-06-27
I have a web application with its own user table. I want to integrate a bulletin board with the web site.

The problem is my web application is written vb.net and the bulletin board is written in csharp. Since this is the case they will have to run as two separate web applications and cannot share session data.

My question is how can I share or pass session data so that if the user is logged into my web application they are automatically logged into the bulletin board when the bulletin board is accessed.

I have viewed the following article from MSDN  http://support.microsoft.com/default.aspx?scid=kb;en-us;307467

However, I don't think the MSDN option is viable in my case since I can't use a single consildated web config file as the code languages are different and each separate project has certain things happening in its respective global.asax file.

Will the MSDN solution still work for me if modified correctly? If not what is the best way to perform this cross-authentication by passing session data?

Please do not say pass through a query string as this is just not secure enough for my purposes.
0
Comment
Question by:throttlenet
  • 5
  • 4
10 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 16447051
Is the bulletin board software of your own design, or a canned product which you have access to the source code.

Hopefully (This is a big IF), the bulletin board software was done in ASP.net 2.0, and uses the MembershipProvider, that way you could modify the web.config to use your own provider, but if I had to guess it's not like that.

Your other options aren't as easy, somehow you have to pass authentication information to the entry page of the bulletin board application.  Assuming you can modify the code that authenticates in the bulletin board software, you might want to look at setting encrypted cookie (or querystring) in your main app, that the bulletin board software can interpret as "ok to authenticate" based on perhaps a shared key in both applications.  For example, in your main app, you have their username.  You can then hash their username + shared key to create a mess of a string.  Pass that to the bulletin board, along with their username in plan text.  Your bulletin board software then hashes the username/shared key and the two had better match or they are not authenticated.
0
 
LVL 4

Accepted Solution

by:
dtryon earned 2000 total points
ID: 16447224
The way we solved a similar issue was to attach an HttpModule that simply checks authentication information to the 'child' app.  Then we added a database table that received entries for logged in users to manage the state.  However, since you are both in .NET, managing state may be easier.

The HttpModule will run for each web request.
0
 
LVL 1

Author Comment

by:throttlenet
ID: 16447465
Raterus,

The bulletin board is a canned product which is not in .Net 2.0 - We have considered and mapped out a potential solution utilizing passing an encrypted variable and some database work.


dtryon, can you elaborate a little further on your solution and provide some detail on how to implement this?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:throttlenet
ID: 16448585
What about using SQL Server Out of Proc to store my session values? Does this give me access to another way to accomplish this task?
0
 
LVL 4

Assisted Solution

by:dtryon
dtryon earned 2000 total points
ID: 16452095
Hi,
Yes, let me elaborate a little further.  Not sure if this is a good fit for your situation, but hopefully this post will help you consider it.  Since an HttpModule runs at every web request, it is easy to insert some code into one of its hook methods in order to check for security conditions.  HttpModules are pretty easy to get up and running as well.  The scenario that we had was one where we essentially wanted a single sign on through one 'gateway' site, which had a form.  For us, there was a forums web app that was third party.  We had this our forums app placed in the same application, but in a sub-folder.  This set up the correct circumstances to use an HttpModule because everything was under one application domain and therefore we could add the HttpModule to the web.config.

Since an HttpModule runs at every web request, it helps elimate a security module where you must add functionality to make a security check to every page of your application.  The code runs, but doesn't clutter the rest of your code.

HttpModules have many events that you can override and use to hook into.
For a quick refresher about HttpModules checkout:
http://www.devx.com/dotnet/Article/6962/0/page/4

I also found this post which might be useful:
http://cephas.net/blog/2003/09/25/aspnet_httpmodule_security_example.html
0
 
LVL 4

Assisted Solution

by:dtryon
dtryon earned 2000 total points
ID: 16452109
Oh, I forgot to add that we used SQL server as a repository for security session variables.  We did this by generating a guid for each new user, and saving that information down to SQL server.  There may be a better way to do this, but it worked for us.  We used SQL server because one of our apps was a classic asp app and the other was a .NET app.

The main problem with this was cleaning the session information out of SQL server.  I tried to use the End_Session event, but that event acted a bit mysteriously since people usually just close their browser when done with a web app.

This was the MSDN article I read before using SQL Server:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/converttoaspnet.asp
0
 
LVL 1

Author Comment

by:throttlenet
ID: 16453502
dtryon,

Thanks for all the information, I will review the articles and give this a whirl. I'll let you know what we come up with and will award some points no matter which direction we go.
0
 
LVL 4

Expert Comment

by:dtryon
ID: 16454888
Best of luck,
I remember a good article that came through www.asp.net last month about HttpModules as Html filters.  If you could find that it may be of use as well.  It had more source code and went into the event cycle more in depth.  I looked quickly but couldn't find it.

Oh wait, just found it:

http://devel.oping.net/content/modifying-page-output-using-response-filters.aspx
0
 
LVL 1

Author Comment

by:throttlenet
ID: 16454945
Sweet, thanx i will take a look at that also.
0
 
LVL 1

Author Comment

by:throttlenet
ID: 16580056
Thanx for all the help, I ended up not actually using the above solution but it is still an excellent solution and I will this in my bag of tricks for further use.

I actually solved the problem by using a cooking that contained encrypted values. Probably not the most elegant or 100% secure solution, but in my case this was an acceptable solution. The bulletin board was already using a cookie to store information so I went ahead and created the cookie on the main apps login. This allow the bulletin to just load up with the user already authenticated.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question