您如何在应用程序域之间传递经过身份验证的会话 [英] How do you pass an authenticated session between app domains
问题描述
假设您有网站 www.xyz.com 和 www.abc.com.
假设用户访问 www.abc.com 并通过普通的 ASP .NET 成员资格提供程序进行身份验证.
然后,从该站点,他们被发送到(重定向、链接、任何有效的)站点 www.xyz.com,站点 www.abc.com 的意图是将该用户作为状态传递到另一个站点isAuthenticated,这样网站 www.xyz.com 就不会再次询问该用户的凭据.
这需要什么才能起作用?不过,我对此有一些限制,用户数据库是完全独立的,它不是组织内部的,在所有方面,它就像从 stackoverflow.com 传递到 google 进行身份验证一样,本质上是分开的.指向相关文章的链接就足够了.
通过像这样设置 web.config authentication 部分来尝试使用 FormAuthentication:
<表单名称=".ASPXAUTH" requireSSL="true"保护=全部"enableCrossAppRedirects="true"/></认证> 生成机器密钥.示例:生成 MachineKey 的最简单方法– 提示和技巧:ASP.NET、IIS ...
当发布到其他应用程序时,身份验证票作为隐藏字段传递.在从第一个应用程序读取帖子时,第二个应用程序将读取加密的票证并对用户进行身份验证.以下是传递该字段的页面示例:
.aspx:
</表单>
代码隐藏:
protected void Page_Load(object sender, EventArgs e){FormsIdentity cIdentity = Page.User.Identity as FormsIdentity;如果(cIdentity != null){this.hdnStreetCred.ID = FormsAuthentication.FormsCookieName;this.hdnStreetCred.Value = FormsAuthentication.Encrypt(((FormsIdentity)User.Identity).Ticket);}}另请参阅本 书籍 来自 Wrox.除了提供自制的 SSO 解决方案外,它还推荐上述答案.
Lets say that you have websites www.xyz.com and www.abc.com.
Lets say that a user goes to www.abc.com and they get authenticated through the normal ASP .NET membership provider.
Then, from that site, they get sent to (redirection, linked, whatever works) site www.xyz.com, and the intent of site www.abc.com was to pass that user to the other site as the status of isAuthenticated, so that the site www.xyz.com does not ask for the credentials of said user again.
What would be needed for this to work? I have some constraints on this though, the user databases are completely separate, it is not internal to an organization, in all regards, it is like passing from stackoverflow.com to google as authenticated, it is that separate in nature. A link to a relevant article will suffice.
Try using FormAuthentication by setting the web.config authentication section like so:
<authentication mode="Forms">
<forms name=".ASPXAUTH" requireSSL="true"
protection="All"
enableCrossAppRedirects="true" />
</authentication>
Generate a machine key. Example: Easiest way to generate MachineKey – Tips and tricks: ASP.NET, IIS ...
When posting to the other application the authentication ticket is passed as a hidden field. While reading the post from the first app, the second app will read the encrypted ticket and authenticate the user. Here's an example of the page that passes that posts the field:
.aspx:
<form id="form1" runat="server">
<div>
<p><asp:Button ID="btnTransfer" runat="server" Text="Go" PostBackUrl="http://otherapp/" /></p>
<input id="hdnStreetCred" runat="server" type="hidden" />
</div>
</form>
code-behind:
protected void Page_Load(object sender, EventArgs e)
{
FormsIdentity cIdentity = Page.User.Identity as FormsIdentity;
if (cIdentity != null)
{
this.hdnStreetCred.ID = FormsAuthentication.FormsCookieName;
this.hdnStreetCred.Value = FormsAuthentication.Encrypt(((FormsIdentity)User.Identity).Ticket);
}
}
Also see the cross app form authentication section in Chapter 5 of this book from Wrox. It recommends answers like the ones above in addition to providing a homebrew SSO solution.
这篇关于您如何在应用程序域之间传递经过身份验证的会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
