Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding Asp.Net Asp.net forms authentication and multiple domains

Thread Rating:
  • 475 Vote(s) - 3.46 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
Asp.net forms authentication and multiple domains

Offline trithiocarbonic957788


Member
*
Member
Posts: 0
Threads: 0
Joined: Jan 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-23-2023, 08:27 AM
I have two domains, domain1.com and domain2.com pointing at the same asp.net website which uses asp.net build in form authentication. The problem is that even if the domains point to the same website the user only get authenticated for one domain at a time. So if he uses

[To see links please register here]

first and then visits

[To see links please register here]

it's the same website in the back but he only is authenticated for

[To see links please register here]

. The same thing happens if he uses www and not www when visiting the sites.

This is what I use to login:

FormsAuthentication.RedirectFromLoginPage(username, cookie.Checked);

To check login:

User.Identity.IsAuthenticated

How can I make the user gets authenticated for all domains that points to the same website?
Reply

Offline patriarchic734847


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Aug 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-23-2023, 08:54 AM
You should read [Explained: Forms Authentication][1] on MSDN. They cover Cross-Domain Authentication.


[1]:

[To see links please register here]

Reply

Offline unreconcilableness38617


Member
*
Member
Posts: 0
Threads: 0
Joined: Jul 2018
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-23-2023, 09:10 AM
You could try setting [`cookieless="true"`][1].


[1]:

[To see links please register here]

Reply

Offline podesta668


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Apr 2018
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#4
07-23-2023, 09:16 AM
What you're after is a Single Sign-on solution.

As ASP.NET authentication is at it's heart generally cookie based, there are two things to look at:

1. Set your cookies correctly.
2. Bounce your users to the alternative domain during signup.

Looking at both of these in more depth:

**1. Setting cookies correctly**

You need to ensure that ASP.NET is writing the authentication ticket cookies to the root domain, rather than the explicit domain this is done using the `domain` attribute of the forms element:

<forms
name="name"
loginUrl="URL"
defaultUrl="URL"
domain=".example.com">
</forms>

You should set your domain to ".example.com" - note the leading period - this is the key. This way requests to example.com and

[To see links please register here]

will both read the cookie correctly, and authenticate the user.

**2. Bounce users to the alternative domain**

What we have implemented on a few sites that use a single sign on is a round trip login process. The user authenticates on the first domain, we encrypt the login details, and redirect them to a known page on the second domain, log them in there, and then redirect back to the original server.

This client side redirection is important - cookies are only written when there is a response back to the client, and the browser has to visit the second domain to actually see the cookies.

Other details to consider in this sort of set-up:

1. You probably want to have a timeout on the encrypted sign-in details - so that recalling that URL from the browser history doesn't automatically log the user in.
2. If the domains are on different servers, you will need to ensure that either the machine keys are configured the same, so that you can encrypt and decrypt the details correctly, or use some other shared key.
3. You will probably want to have a mechanism in place to recall the users ReturnUrl from the original server so that you can send them back to the correct place.

You could also take a look at ["Forms Authentication Across Applications"][1]


[1]:

[To see links please register here]

Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through