Single Sign on for web apps on same box

[Cowboy \(Gregory A. Beamer\)]

Quite a few months back, I was able to create a single sign on app for all
apps on a single box (perhaps a domain, but never tested) by setting the
auth cookie name to an identical value:

<authentication mode="Forms">
<forms name="SingleSignOn" loginUrl="login.aspx">
</authentication>

I could then surf from app to app on the same box and the cookie, named the
same, would allow me to bypass the logon form. I currently have an app in
Framework 1.1, and I get the following:

Default cookie - log into each app, each time, when I bounce from app to app
Cookies with same name - same behavior
Cookies with diff name - log in once to each app, can then surf back and
forth

The actual test code is as follows:

web.config
-----------
<authentication mode="Forms">
<forms name="test1" loginUrl="login.aspx" timeout="30"
slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">
<user name="Joe" password="password" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="Joe" /> <!-- Allow all users -->
<deny users="?"></deny>
</authorization>

Login.aspx
-----------
private void LoginButton_Click(object sender, System.EventArgs e)
{
if(FormsAuthentication.Authenticate(NameText.Text,PasswordText.Text))
{
Session["ID"] = Session.SessionID;
FormsAuthentication.RedirectFromLoginPage("Joe", false);
}
else
{
BadPasswordLabel.Text = "This is not a valid login.";
}
}

My thought is either

a) The methodology changed in Framework 1.1
b) I am missing something I had working before

At present, this is not a major issue, but it is something that is bugging
me.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

 

[Cowboy \(Gregory A. Beamer\)]

If you ever have a problem, post here and your brain will figure it out.

Here is the single sign on using Forms Authentication:

1. Set up the authentication section:

<authentication mode="Forms">
<forms name="test1" loginUrl="login.aspx" timeout="30"
slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">
<user name="Joe" password="password" />
</credentials>
</forms>
</authentication>

In this case, the password is embedded, but it will actually pull from a
database outside of test.

2. Set up a machine key (this is the missing link in my app):

<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E34
00267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="3DES"
/>

I nabbed this from a site on the web, but it could have just as easily have
been created. The problem is each application creates its own key, if one is
not specified. In my case, as I bounced from app to app, each app rewrote
the cookie, using its own key. Thus, each new hit on the app, after a hit on
another app, caused re-authentication, as it was reading garbage (wrong
key).

3. Set up app authorization to force logon:

<authorization>
<allow users="Joe" />
<deny users="?">
</authorization>

4. Repeat for additional applications.

Now, I can bounce back and forth without problem.


--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

Quite a few months back, I was able to create a single sign on app for all
apps on a single box (perhaps a domain, but never tested) by setting the
auth cookie name to an identical value:

<authentication mode="Forms">
<forms name="SingleSignOn" loginUrl="login.aspx">
</authentication>

I could then surf from app to app on the same box and the cookie, named the
same, would allow me to bypass the logon form. I currently have an app in
Framework 1.1, and I get the following:

Default cookie - log into each app, each time, when I bounce from app to app
Cookies with same name - same behavior
Cookies with diff name - log in once to each app, can then surf back and
forth

The actual test code is as follows:

web.config
-----------
<authentication mode="Forms">
<forms name="test1" loginUrl="login.aspx" timeout="30"
slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">
<user name="Joe" password="password" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="Joe" /> <!-- Allow all users -->
<deny users="?"></deny>
</authorization>

Login.aspx
-----------
private void LoginButton_Click(object sender, System.EventArgs e)
{
if(FormsAuthentication.Authenticate(NameText.Text,PasswordText.Text))
{
Session["ID"] = Session.SessionID;
FormsAuthentication.RedirectFromLoginPage("Joe", false);
}
else
{
BadPasswordLabel.Text = "This is not a valid login.";
}
}

My thought is either

a) The methodology changed in Framework 1.1
b) I am missing something I had working before

At present, this is not a major issue, but it is something that is bugging
me.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************