Solved

Cross Site Login

Posted on 2014-12-03
8
46 Views
Last Modified: 2016-07-17
This is what I am trying to pull off.  Before I keep wracking my brain on how to do it, I thought I'd ask the experts to see if it was even possible.

I have an application with a login page to authenticate users to use the application.  Authentication is determined by session.  If you have a valid username and password, a session is created and subsequent pages look for a valid session.

I want to have third parties be able to post a username and password over SSL connection to that login page and have them get validated (create a session).  Right now I have it posting the data to the login page using the WebClient class and UploadString method.  It posts fine.  It creates the session but when the post is complete, the session is removed.

What am I missing here?

I've looked into a "CookieAwareWebClient" but wanted out third parties to have to have as little code as possible on their end and only have to post the username and password to the login page.  

Maybe this isn't the best way?
0
Comment
Question by:reindeerauto
  • 4
8 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40480144
ASP and PHP sessions are normally identified by a cookie placed in the client browser.  If that cookie is not returned with each request, the server can not know what session data belongs to the client.
0
 
LVL 62

Expert Comment

by:btan
ID: 40480396
the same cookie session from client has to be returned so that the login persist. ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser). If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID. And clearing out that cookie, a new session with a new session ID will be created

http://erlend.oftedal.no/blog/?blogid=41

also the cookie maybe tagged as http only (no JS can read this cookie) and secure (cookie allow only via https) which the client is to adhere  (at least the browser will comply to that hdr option set). May want to check the trait of the cookie in browser using browser plugin to troubleshoot further. Hopefully it is not a expired cookie or server clear that session cookie unintentionally...
0
 

Author Comment

by:reindeerauto
ID: 40481024
I went ahead with the webclient that retains cookies and it's working well.  I'm still running into one issue.

So let's say the third party client is www.fake.com and I am www.iamme.com.  

The username and password are posted from fake.com to iamme.com/Login.aspx with webclient that retains cookies.  It works.  The session cookies are retained in the webclient object.  I need to then redirect them to www.iamme.com/Page.aspx (which checks for the authenitcation before allowing access).   I have Login.aspx Redirecting after the post but that's not working.   I tried Response.Write with the returned string from the webclient.UploadString method.  That is half working.  It's not really redirecting.  I need it to go to the www.iamme.com server with the webclient still maintaining the cookie.  Or have the webclient write the cookie to the browser then redirect.

using (var client = new CookieAwareWebClient())
            {
                client.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
                string HtmlResult = client.UploadString(URI, myParameters);

                Response.Clear();
                Response.Write(HtmlResult);
            }
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 62

Expert Comment

by:btan
ID: 41714936
The author posted a new question and should be another new question. Original query is suggested to maintain secure cookie for session otherwise it is consider another new session and not necessarily secure like the redirect case..it is not about how to do redirect per se in thia Qns context.

The below is example code
http://www.c-sharpcorner.com/UploadFile/ca9151/securing-login-page-and-maintaining-single-session-per-user/
0
 
LVL 62

Expert Comment

by:btan
ID: 41714938
Consider
ID: 40480144
ID: 40480396
ID: 41714936
0
 
LVL 62

Expert Comment

by:btan
ID: 41716169
Thanks I noticed only ID: 40480144 is accepted. Just like to check if the below are applicable as well.
ID: 40480396
ID: 41714936
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now