Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASP.net Single Sign On

Posted on 2010-09-20
2
363 Views
Last Modified: 2012-06-21
I have set up 2 websites on the same domain at the moment (for example,   test.mainsite.com/site1 and test.mainsite.com/site2).

I have been trying to achieve an SSO between them and think that I have it working, but I want to make sure that I am not creating any security holes.  I will highlight the changes I made to each application and ask for advice/comments:

Both web.configs have a machine key defined with the same validationKey, decryptionKey, and validation.

Both web.confgs have the same forms authentication definition.
 <authentication mode="Forms">
 <forms timeout="1440" loginUrl="~/Login.aspx" name="formscookiename1" path="/"/>
 </authentication>

On the login page of my site 1, I create the Formauth and cookie as such:

FormsAuthenticationTicket ticket = new  FormsAuthenticationTicket( loginname, true, 720 );
string strEncrypted = FormsAuthentication.Encrypt( ticket );
            HttpCookie hc = new HttpCookie( FormsAuthentication.FormsCookieName, strEncrypted );
hc.Expires = DateTime.Now.AddHours( 8);
Response.Cookies.Add( hc );


What I found is that as long as the machinekey info is the same, and the formscookie name is the same, I was able to login to site 1 and automatically be logged into site 2 when I hit that site.

Also, the logout page with this code in it;
FormsAuthentication.SignOut();                   

successfully signed out of both sites.


My question really is then, have I done this right?  Are there any mistakes made here that would open up a security hole in the 2 sites (i.e can cookies be copied etc..).

Thanks.
0
Comment
Question by:MikeCausi
2 Comments
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 33717379
What you have done is fine and that's how it is done.
0
 

Author Closing Comment

by:MikeCausi
ID: 33717422
Thanks for the confirmation.  
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question