Solved

Cross Site Login

Posted on 2014-12-03
8
62 Views
Last Modified: 2016-07-17
This is what I am trying to pull off.  Before I keep wracking my brain on how to do it, I thought I'd ask the experts to see if it was even possible.

I have an application with a login page to authenticate users to use the application.  Authentication is determined by session.  If you have a valid username and password, a session is created and subsequent pages look for a valid session.

I want to have third parties be able to post a username and password over SSL connection to that login page and have them get validated (create a session).  Right now I have it posting the data to the login page using the WebClient class and UploadString method.  It posts fine.  It creates the session but when the post is complete, the session is removed.

What am I missing here?

I've looked into a "CookieAwareWebClient" but wanted out third parties to have to have as little code as possible on their end and only have to post the username and password to the login page.  

Maybe this isn't the best way?
0
Comment
Question by:reindeerauto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
8 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40480144
ASP and PHP sessions are normally identified by a cookie placed in the client browser.  If that cookie is not returned with each request, the server can not know what session data belongs to the client.
0
 
LVL 64

Expert Comment

by:btan
ID: 40480396
the same cookie session from client has to be returned so that the login persist. ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser). If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID. And clearing out that cookie, a new session with a new session ID will be created

http://erlend.oftedal.no/blog/?blogid=41

also the cookie maybe tagged as http only (no JS can read this cookie) and secure (cookie allow only via https) which the client is to adhere  (at least the browser will comply to that hdr option set). May want to check the trait of the cookie in browser using browser plugin to troubleshoot further. Hopefully it is not a expired cookie or server clear that session cookie unintentionally...
0
 

Author Comment

by:reindeerauto
ID: 40481024
I went ahead with the webclient that retains cookies and it's working well.  I'm still running into one issue.

So let's say the third party client is www.fake.com and I am www.iamme.com.  

The username and password are posted from fake.com to iamme.com/Login.aspx with webclient that retains cookies.  It works.  The session cookies are retained in the webclient object.  I need to then redirect them to www.iamme.com/Page.aspx (which checks for the authenitcation before allowing access).   I have Login.aspx Redirecting after the post but that's not working.   I tried Response.Write with the returned string from the webclient.UploadString method.  That is half working.  It's not really redirecting.  I need it to go to the www.iamme.com server with the webclient still maintaining the cookie.  Or have the webclient write the cookie to the browser then redirect.

using (var client = new CookieAwareWebClient())
            {
                client.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
                string HtmlResult = client.UploadString(URI, myParameters);

                Response.Clear();
                Response.Write(HtmlResult);
            }
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 64

Expert Comment

by:btan
ID: 41714936
The author posted a new question and should be another new question. Original query is suggested to maintain secure cookie for session otherwise it is consider another new session and not necessarily secure like the redirect case..it is not about how to do redirect per se in thia Qns context.

The below is example code
http://www.c-sharpcorner.com/UploadFile/ca9151/securing-login-page-and-maintaining-single-session-per-user/
0
 
LVL 64

Expert Comment

by:btan
ID: 41714938
Consider
ID: 40480144
ID: 40480396
ID: 41714936
0
 
LVL 64

Expert Comment

by:btan
ID: 41716169
Thanks I noticed only ID: 40480144 is accepted. Just like to check if the below are applicable as well.
ID: 40480396
ID: 41714936
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question