Solved

ASP.net Single Sign On

Posted on 2010-09-20
2
352 Views
Last Modified: 2012-06-21
I have set up 2 websites on the same domain at the moment (for example,   test.mainsite.com/site1 and test.mainsite.com/site2).

I have been trying to achieve an SSO between them and think that I have it working, but I want to make sure that I am not creating any security holes.  I will highlight the changes I made to each application and ask for advice/comments:

Both web.configs have a machine key defined with the same validationKey, decryptionKey, and validation.

Both web.confgs have the same forms authentication definition.
 <authentication mode="Forms">
 <forms timeout="1440" loginUrl="~/Login.aspx" name="formscookiename1" path="/"/>
 </authentication>

On the login page of my site 1, I create the Formauth and cookie as such:

FormsAuthenticationTicket ticket = new  FormsAuthenticationTicket( loginname, true, 720 );
string strEncrypted = FormsAuthentication.Encrypt( ticket );
            HttpCookie hc = new HttpCookie( FormsAuthentication.FormsCookieName, strEncrypted );
hc.Expires = DateTime.Now.AddHours( 8);
Response.Cookies.Add( hc );


What I found is that as long as the machinekey info is the same, and the formscookie name is the same, I was able to login to site 1 and automatically be logged into site 2 when I hit that site.

Also, the logout page with this code in it;
FormsAuthentication.SignOut();                   

successfully signed out of both sites.


My question really is then, have I done this right?  Are there any mistakes made here that would open up a security hole in the 2 sites (i.e can cookies be copied etc..).

Thanks.
0
Comment
Question by:MikeCausi
2 Comments
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 33717379
What you have done is fine and that's how it is done.
0
 

Author Closing Comment

by:MikeCausi
ID: 33717422
Thanks for the confirmation.  
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now