Solved

Cross Site Login

Posted on 2014-12-03
8
39 Views
Last Modified: 2016-07-17
This is what I am trying to pull off.  Before I keep wracking my brain on how to do it, I thought I'd ask the experts to see if it was even possible.

I have an application with a login page to authenticate users to use the application.  Authentication is determined by session.  If you have a valid username and password, a session is created and subsequent pages look for a valid session.

I want to have third parties be able to post a username and password over SSL connection to that login page and have them get validated (create a session).  Right now I have it posting the data to the login page using the WebClient class and UploadString method.  It posts fine.  It creates the session but when the post is complete, the session is removed.

What am I missing here?

I've looked into a "CookieAwareWebClient" but wanted out third parties to have to have as little code as possible on their end and only have to post the username and password to the login page.  

Maybe this isn't the best way?
0
Comment
Question by:reindeerauto
  • 4
8 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40480144
ASP and PHP sessions are normally identified by a cookie placed in the client browser.  If that cookie is not returned with each request, the server can not know what session data belongs to the client.
0
 
LVL 61

Expert Comment

by:btan
ID: 40480396
the same cookie session from client has to be returned so that the login persist. ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser). If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID. And clearing out that cookie, a new session with a new session ID will be created

http://erlend.oftedal.no/blog/?blogid=41

also the cookie maybe tagged as http only (no JS can read this cookie) and secure (cookie allow only via https) which the client is to adhere  (at least the browser will comply to that hdr option set). May want to check the trait of the cookie in browser using browser plugin to troubleshoot further. Hopefully it is not a expired cookie or server clear that session cookie unintentionally...
0
 

Author Comment

by:reindeerauto
ID: 40481024
I went ahead with the webclient that retains cookies and it's working well.  I'm still running into one issue.

So let's say the third party client is www.fake.com and I am www.iamme.com.  

The username and password are posted from fake.com to iamme.com/Login.aspx with webclient that retains cookies.  It works.  The session cookies are retained in the webclient object.  I need to then redirect them to www.iamme.com/Page.aspx (which checks for the authenitcation before allowing access).   I have Login.aspx Redirecting after the post but that's not working.   I tried Response.Write with the returned string from the webclient.UploadString method.  That is half working.  It's not really redirecting.  I need it to go to the www.iamme.com server with the webclient still maintaining the cookie.  Or have the webclient write the cookie to the browser then redirect.

using (var client = new CookieAwareWebClient())
            {
                client.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
                string HtmlResult = client.UploadString(URI, myParameters);

                Response.Clear();
                Response.Write(HtmlResult);
            }
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:btan
ID: 41714936
The author posted a new question and should be another new question. Original query is suggested to maintain secure cookie for session otherwise it is consider another new session and not necessarily secure like the redirect case..it is not about how to do redirect per se in thia Qns context.

The below is example code
http://www.c-sharpcorner.com/UploadFile/ca9151/securing-login-page-and-maintaining-single-session-per-user/
0
 
LVL 61

Expert Comment

by:btan
ID: 41714938
Consider
ID: 40480144
ID: 40480396
ID: 41714936
0
 
LVL 61

Expert Comment

by:btan
ID: 41716169
Thanks I noticed only ID: 40480144 is accepted. Just like to check if the below are applicable as well.
ID: 40480396
ID: 41714936
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now