Solved

Cross Site Login

Posted on 2014-12-03
8
52 Views
Last Modified: 2016-07-17
This is what I am trying to pull off.  Before I keep wracking my brain on how to do it, I thought I'd ask the experts to see if it was even possible.

I have an application with a login page to authenticate users to use the application.  Authentication is determined by session.  If you have a valid username and password, a session is created and subsequent pages look for a valid session.

I want to have third parties be able to post a username and password over SSL connection to that login page and have them get validated (create a session).  Right now I have it posting the data to the login page using the WebClient class and UploadString method.  It posts fine.  It creates the session but when the post is complete, the session is removed.

What am I missing here?

I've looked into a "CookieAwareWebClient" but wanted out third parties to have to have as little code as possible on their end and only have to post the username and password to the login page.  

Maybe this isn't the best way?
0
Comment
Question by:reindeerauto
  • 4
8 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40480144
ASP and PHP sessions are normally identified by a cookie placed in the client browser.  If that cookie is not returned with each request, the server can not know what session data belongs to the client.
0
 
LVL 63

Expert Comment

by:btan
ID: 40480396
the same cookie session from client has to be returned so that the login persist. ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser). If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID. And clearing out that cookie, a new session with a new session ID will be created

http://erlend.oftedal.no/blog/?blogid=41

also the cookie maybe tagged as http only (no JS can read this cookie) and secure (cookie allow only via https) which the client is to adhere  (at least the browser will comply to that hdr option set). May want to check the trait of the cookie in browser using browser plugin to troubleshoot further. Hopefully it is not a expired cookie or server clear that session cookie unintentionally...
0
 

Author Comment

by:reindeerauto
ID: 40481024
I went ahead with the webclient that retains cookies and it's working well.  I'm still running into one issue.

So let's say the third party client is www.fake.com and I am www.iamme.com.  

The username and password are posted from fake.com to iamme.com/Login.aspx with webclient that retains cookies.  It works.  The session cookies are retained in the webclient object.  I need to then redirect them to www.iamme.com/Page.aspx (which checks for the authenitcation before allowing access).   I have Login.aspx Redirecting after the post but that's not working.   I tried Response.Write with the returned string from the webclient.UploadString method.  That is half working.  It's not really redirecting.  I need it to go to the www.iamme.com server with the webclient still maintaining the cookie.  Or have the webclient write the cookie to the browser then redirect.

using (var client = new CookieAwareWebClient())
            {
                client.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
                string HtmlResult = client.UploadString(URI, myParameters);

                Response.Clear();
                Response.Write(HtmlResult);
            }
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 63

Expert Comment

by:btan
ID: 41714936
The author posted a new question and should be another new question. Original query is suggested to maintain secure cookie for session otherwise it is consider another new session and not necessarily secure like the redirect case..it is not about how to do redirect per se in thia Qns context.

The below is example code
http://www.c-sharpcorner.com/UploadFile/ca9151/securing-login-page-and-maintaining-single-session-per-user/
0
 
LVL 63

Expert Comment

by:btan
ID: 41714938
Consider
ID: 40480144
ID: 40480396
ID: 41714936
0
 
LVL 63

Expert Comment

by:btan
ID: 41716169
Thanks I noticed only ID: 40480144 is accepted. Just like to check if the below are applicable as well.
ID: 40480396
ID: 41714936
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question