Security across several apps

[jib]

Hi,

For some of you this must be elementary, sorry for being boring. I have
several ASP.NET apps that I want to secure. The way I am going about it, is
by having all apps set for Forms authentication. The login.aspx I have new
users redirect to is part of a Admin module (yet another ASP.NET app) that
handles all the trickery of verifying user names etc.

Seems so simple but it doesn't work. When users attempt to view any of the
applications' pages without being logged in (say app.aspx), they are indeed
redirected from app.aspx to the login.aspx page. However, after the
RedirectFromLogin() call in login.aspx, app.aspx does not see that the user
is authenticated and simply redirects to login.aspx again. Somehow I need to
feed the authorization through to app.aspx but have no idea how to do this.

Ideas anyone?

Jib

[Chris Jackson]

ASP.NET handles forms authentication through session variables. Each
application has its own session store, so your users are logged in to the
other application, but then are returned to the original application where
they do not have an entry in that application's session store. You need to
get the session state set within that specific application.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

"jib" <jib_0@hotmail.com> wrote in message
news:%23tojYWQ%23DHA.452@TK2MSFTNGP11.phx.gbl...

> Hi,
>
> For some of you this must be elementary, sorry for being boring. I have
> several ASP.NET apps that I want to secure. The way I am going about it,
> is
> by having all apps set for Forms authentication. The login.aspx I have new
> users redirect to is part of a Admin module (yet another ASP.NET app) that
> handles all the trickery of verifying user names etc.
>
> Seems so simple but it doesn't work. When users attempt to view any of the
> applications' pages without being logged in (say app.aspx), they are
> indeed
> redirected from app.aspx to the login.aspx page. However, after the
> RedirectFromLogin() call in login.aspx, app.aspx does not see that the
> user
> is authenticated and simply redirects to login.aspx again. Somehow I need
> to
> feed the authorization through to app.aspx but have no idea how to do
> this.
>
> Ideas anyone?
>
> Jib
>
>

[jib]

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message

> ASP.NET handles forms authentication through session variables. Each
> application has its own session store, so your users are logged in to the
> other application, but then are returned to the original application where
> they do not have an entry in that application's session store. You need to
> get the session state set within that specific application.
>

Thanks Chris, any code examples how I would obtain that session state?

Jib

[Chris Jackson]

The problem is that you have a separate AppDomain for each web application
that you create, and an assembly in one AppDomain can't gain access to
memory in another AppDomain without doing some tricks with remoting. Your
options are:

1. Create a single root application, with all other applications as child
applications
2. You persist your session information to a database, and then read it in
during authentication, redirecting to the login page if you don't find it
and logging in if you do
3. Repeating your authentication page in each of your applications
4. Use Windows Authentication, so a user will authenticate to all of your
sites using the credentials they signed in with
5. Use remoting to get access to the session information and get a local
instance during authentication

I am sure there are other options out there as well.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

"jib" <jib_0@hotmail.com> wrote in message
news:eefzSvi%23DHA.2748@TK2MSFTNGP12.phx.gbl...

>
> "Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message

>> ASP.NET handles forms authentication through session variables. Each
>> application has its own session store, so your users are logged in to the
>> other application, but then are returned to the original application
>> where
>> they do not have an entry in that application's session store. You need
>> to
>> get the session state set within that specific application.
>>

>
> Thanks Chris, any code examples how I would obtain that session state?
>
> Jib
>
>

[OTS]

Check this out
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconformsauthenticationacrossapplications.asp[/url]

"jib" <jib_0@hotmail.com> wrote in message
news:%23tojYWQ%23DHA.452@TK2MSFTNGP11.phx.gbl...

> Hi,
>
> For some of you this must be elementary, sorry for being boring. I have
> several ASP.NET apps that I want to secure. The way I am going about it,

is

> by having all apps set for Forms authentication. The login.aspx I have new
> users redirect to is part of a Admin module (yet another ASP.NET app) that
> handles all the trickery of verifying user names etc.
>
> Seems so simple but it doesn't work. When users attempt to view any of the
> applications' pages without being logged in (say app.aspx), they are

indeed

> redirected from app.aspx to the login.aspx page. However, after the
> RedirectFromLogin() call in login.aspx, app.aspx does not see that the

user

> is authenticated and simply redirects to login.aspx again. Somehow I need

to

> feed the authorization through to app.aspx but have no idea how to do

this.

>
> Ideas anyone?
>
> Jib
>
>