forms authentication with loginurl on a remote machine

[Hermit Dave]

Hi,

I am making a web application (rather two applications) one which is host
and used by customers when they are just browsing through products.
The second application resides on a secure server. This is going to hold all
account related information for the customers and will also be used for
admin

The login is implemented using forms authentication and i was just reading
up about that... but as everyone already knows.... its all scattered
everywhere...
now
<forms name="CUSTOM.ASPXAUTH"
loginurl="http://mysecuresever/myapplication/login.aspx" />
it is mentioned a couple of places that if it is a remote machine... and not
a local machine they should have the same decryption key.

did a search on decryptionkey and found:
This article describes how to create keys to use for encryption, decryption,
and validation of Forms authentication cookie data. You can use the keys
that you create in this article for the validationKey and the decryptionKey
attributes of the <machineKey> section in the <system.web> element in the
Machine.config and the Web.config files.

now my question is that if i did create the machine key under <system.web>
and specified the keys.... would i then be able to use the cookie set on
both the machines ?

ie can i use it on my app1 to check whether the client is logged in and can
i in app2 (on secure server) use the same cookie for showing customer
related information ?

all this is so messed up.... would be great if someone could help get me a
half decent step in right direction

 

[Steven Cheng[MSFT]]

Hi Hermit,


Thank you for using Microsoft Newsgroup Service. Based on your description.
You've build two ASP.NET web applications(they a part of one web
application logically). Since you used the form authentication and the
login page is on one server, you want the other web app(on another server)
shared the authentication cookie and common cookie info set by the login
web app. Is my understanding of your problem correct?

For this problem, it belongs to the Multi hosting Web applications such as
web farm situation. Generally in ASP.NET web application all the datas set
and retrieve via Response.Cookie or Request.Cookie are encrypted using a
certain key, the key is able to be set in the "MachineKey" element in the
web.config or machine.config file. In addition, the authentication cookie
for the FormAuthentication is auto checked and generated, if you want to
make them identity and shared in different asp.net web application, it's
necessary to set the following features:

1. The Cookie name: The asp.net runtime will retrieve the authentication
cookie via this name, it is set in the "forms" element in web.config as
below:
<forms loginUrl="login.aspx" name="formsauth1" timeout="60" path="/" >
<credentials passwordFormat="Clear">
<user name="username" password="password"/>
</credentials>
</forms>
2. also, the "path" attribute is also important, but you can remain the
default value "/" so that the authentication cookie
will be sent to each web app.

3. the Machine key. We can also override this in web.config:
<machineKey validationKey="You custom key" decryptionKey="You custom key"
validation="SHA1" />
If multiple applications use identical, explicit values for the
<machineKey> element, an authentication cookie that is sent from one
application is decrypted by another application successfully.

For more information on the above features, you can refer the tech articles
in MSDN:

Forms Authentication Requests Are Not Directed to loginUrl Page
http://support.microsoft.com/?id=313116

Create Keys by Using Visual C# .NET for Use in Forms Authentication
http://support.microsoft.com/?id=312906

Hosting Multiple Web Applications
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/thcmch20.asp

If you have any questions on it, please feel free to let me know.



Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Hermit Dave]

Steven,

Thanks for writing in. Gotta read up a bit cause i have an 70-315 tomorrow
but i will give it a try some time in coming days.

One thing though - is it necessary for the config file to have user info and
does the passwordFormat have to be cleartext ?
Will look up the articles and thanks a lot,

HD

 

[Steven Cheng[MSFT]]

Hi Hermit,

Thanks for your response. As for the FormAuthentication, it provides some
buildin authorization such as
alow="*"
deny="?" or explicitly specify some user names. However I always think you
can generate a custom database for storing user
account infos and do the user checking and authorization mannually.
And as for the format the password sent, normally such authentication mode
as "Base authentication", "form authentication" which need the client to
provide user credentials(passwords) all send the credentials in clear
text(encoded by base64). So if you use such authentication mode, it is
recommended that you use some security protection on the datas transfers
between the client and server, for example, the "SSL".

In addition, I've reviewd the MSDN on the Formauthentication and found some
articles mainly aimed at "FormAuthentication", here is one which confirms
the problem we discussed in the former messages:

#Forms Authentication Across Applications
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconformsauthenticatio
nacrossapplications.asp?frame=true

#the main topic on FormAuthentication
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconthecookieauthentic
ationprovider.asp?frame=true

Please check out the above suggestion to see whether they are helpful. If
you have any questions , feel free to let me know.


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi Hermit,


Have you had a chance to try my suggestion or have you resolved the
problem? If you need any help, please feel
free to let me know .


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Hermit Dave]

Steven,

I had already set the machine key value for one of the apps... all i had to
do was use the same machine key and authentication across.
all i did was just copied the web.config file over to the other place...

yes i am already using authenticaiton and role info stored in the db and am
hashing the password before storage during registration.

And it did work just fine on my local dev machine with two different apps.

The only difference in web.config files is that the loginurl for one of the
app specifies the absolute url of second apps authentication module.
And the authentication ticket is being shared across the apps...


I still havent uploaded the to the webservers... am making some changes in
registration and would like to test it out before i put it up...

Thanks a lot.... i havent had a chance to read those articles just yet but
will do...
Till next time...

 

[Hermit Dave]

Steven,

Just a quick query.... in the two apps i have... it works fine on my local
machine... but was talking to someone who was implementing a very similar
method.... and it was then that i noticed... that the returnURL value...
when it was forwarded to secure application contained
"/virtualdir/virtualdir2/index.aspx"
This would mean that in a scenario like mine.. where the second app is on a
different server i would have to set a manual redirection to the first
applicaton... (cause returnURL is not a fully qualified URL....

however i did notice... that passport authentication (i know its a totally
different mechanism) but the returnURL is indeed fully qualified...

Was also reading some posts earlier when someone mentioned that the behavior
was indeed very similar till beta 1 but was later on change to not have full
URL
would appreciate you comments on this...

--
Regards,

HD

PS: still havent tried it on my live servers (messed up the permissions on
db and am waiting for it to be restored... )

 

[Steven Cheng[MSFT]]

Hi Hermit,


Thanks for your response. As for the problem you described in the reply.
The "ReturnUrl" will be cut to a relative path to the "localhost". I've
reviewed some materials of the ASP.NET FormsAuthentication, haven't found
any docs that explictly mentioned on this. However, I think since in the
"web farm"(multi server) situation for FormsAuthentication, we've specify
the identical Machinekey in the config files. We can manually create the
auth ticket/Cookie and redirect to whatever page(url) we want.(that is
basically, replacing the RedirectFromLoginPage call.) Here is an sample
shows generating a custom authentication ticket/cookie and redirect to a
path.

http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebsecurityfor
msauthenticationclassgetredirecturltopic.asp?frame=true

Hope it helps.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Hermit Dave]

Steven,

I am already creating the authentication ticket...

look everything works fine... the only thing is the the returnUTL param
passed to the second app's login contains a relative URL not a full URL

my app looks like this

http://www.myclientsdomain.com
this has a directory where i have set to allow only Adminitrators role...
http://www.myclientsdomain.com/admindir

the authentication and role information is set on another domain
https://secureserver.com/myclientsdomain
on a page called Login.aspx

now when someone tries to access http://www.myclientsdomain.com/admindir
they are redirected to
http://securesever.com/myclientsdomain/login.aspx?returnURL=/admindir/index.aspx

This page authenticates the user and since the returnURL is not valid it
would i would have to manually redirect
http://www.myclientsdomain.com/admindir/index.aspx

when using passport i have seen returnURL having the full URL not relative
URL
ie with passport authentication it would be
https://passport.com/whateverpage?returnURL=http://www.myclientsdomain.com/admindir/index.asp

though all of the return params would be URL encoded... but you see what i
mean right ?

Thanks,

 

[Hermit Dave]

Steven,

Just to let you know... think i am going to drop the idea of second server..
having some issues with the host.... so will try it some other day now...

thanks for all the help...