Solved

ASP.net Single Sign On

Posted on 2010-09-20
2
339 Views
Last Modified: 2012-06-21
I have set up 2 websites on the same domain at the moment (for example,   test.mainsite.com/site1 and test.mainsite.com/site2).

I have been trying to achieve an SSO between them and think that I have it working, but I want to make sure that I am not creating any security holes.  I will highlight the changes I made to each application and ask for advice/comments:

Both web.configs have a machine key defined with the same validationKey, decryptionKey, and validation.

Both web.confgs have the same forms authentication definition.
 <authentication mode="Forms">
 <forms timeout="1440" loginUrl="~/Login.aspx" name="formscookiename1" path="/"/>
 </authentication>

On the login page of my site 1, I create the Formauth and cookie as such:

FormsAuthenticationTicket ticket = new  FormsAuthenticationTicket( loginname, true, 720 );
string strEncrypted = FormsAuthentication.Encrypt( ticket );
            HttpCookie hc = new HttpCookie( FormsAuthentication.FormsCookieName, strEncrypted );
hc.Expires = DateTime.Now.AddHours( 8);
Response.Cookies.Add( hc );


What I found is that as long as the machinekey info is the same, and the formscookie name is the same, I was able to login to site 1 and automatically be logged into site 2 when I hit that site.

Also, the logout page with this code in it;
FormsAuthentication.SignOut();                   

successfully signed out of both sites.


My question really is then, have I done this right?  Are there any mistakes made here that would open up a security hole in the 2 sites (i.e can cookies be copied etc..).

Thanks.
0
Comment
Question by:MikeCausi
2 Comments
 
LVL 41

Accepted Solution

by:
guru_sami earned 500 total points
ID: 33717379
What you have done is fine and that's how it is done.
0
 

Author Closing Comment

by:MikeCausi
ID: 33717422
Thanks for the confirmation.  
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now