Solved

Cross Site Login

Posted on 2014-12-03
8
56 Views
Last Modified: 2016-07-17
This is what I am trying to pull off.  Before I keep wracking my brain on how to do it, I thought I'd ask the experts to see if it was even possible.

I have an application with a login page to authenticate users to use the application.  Authentication is determined by session.  If you have a valid username and password, a session is created and subsequent pages look for a valid session.

I want to have third parties be able to post a username and password over SSL connection to that login page and have them get validated (create a session).  Right now I have it posting the data to the login page using the WebClient class and UploadString method.  It posts fine.  It creates the session but when the post is complete, the session is removed.

What am I missing here?

I've looked into a "CookieAwareWebClient" but wanted out third parties to have to have as little code as possible on their end and only have to post the username and password to the login page.  

Maybe this isn't the best way?
0
Comment
Question by:reindeerauto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
8 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40480144
ASP and PHP sessions are normally identified by a cookie placed in the client browser.  If that cookie is not returned with each request, the server can not know what session data belongs to the client.
0
 
LVL 63

Expert Comment

by:btan
ID: 40480396
the same cookie session from client has to be returned so that the login persist. ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser). If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID. And clearing out that cookie, a new session with a new session ID will be created

http://erlend.oftedal.no/blog/?blogid=41

also the cookie maybe tagged as http only (no JS can read this cookie) and secure (cookie allow only via https) which the client is to adhere  (at least the browser will comply to that hdr option set). May want to check the trait of the cookie in browser using browser plugin to troubleshoot further. Hopefully it is not a expired cookie or server clear that session cookie unintentionally...
0
 

Author Comment

by:reindeerauto
ID: 40481024
I went ahead with the webclient that retains cookies and it's working well.  I'm still running into one issue.

So let's say the third party client is www.fake.com and I am www.iamme.com.  

The username and password are posted from fake.com to iamme.com/Login.aspx with webclient that retains cookies.  It works.  The session cookies are retained in the webclient object.  I need to then redirect them to www.iamme.com/Page.aspx (which checks for the authenitcation before allowing access).   I have Login.aspx Redirecting after the post but that's not working.   I tried Response.Write with the returned string from the webclient.UploadString method.  That is half working.  It's not really redirecting.  I need it to go to the www.iamme.com server with the webclient still maintaining the cookie.  Or have the webclient write the cookie to the browser then redirect.

using (var client = new CookieAwareWebClient())
            {
                client.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
                string HtmlResult = client.UploadString(URI, myParameters);

                Response.Clear();
                Response.Write(HtmlResult);
            }
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 63

Expert Comment

by:btan
ID: 41714936
The author posted a new question and should be another new question. Original query is suggested to maintain secure cookie for session otherwise it is consider another new session and not necessarily secure like the redirect case..it is not about how to do redirect per se in thia Qns context.

The below is example code
http://www.c-sharpcorner.com/UploadFile/ca9151/securing-login-page-and-maintaining-single-session-per-user/
0
 
LVL 63

Expert Comment

by:btan
ID: 41714938
Consider
ID: 40480144
ID: 40480396
ID: 41714936
0
 
LVL 63

Expert Comment

by:btan
ID: 41716169
Thanks I noticed only ID: 40480144 is accepted. Just like to check if the below are applicable as well.
ID: 40480396
ID: 41714936
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
This video teaches users how to migrate an existing Wordpress website to a new domain.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question