来自Public Access的Secure MediaWiki在Linux PHP上对Windows ASP服务器进行身份验证 [英] Secure MediaWiki from Public Access Authenticate Windows ASP server on Linux PHP

问题描述

我们有一个在IIS6 ASP.Net服务器上运行的Web应用程序.您必须先登录才能使用该软件.基本上，当您登录时会生成一个cookie，然后当您访问后续页面时，他们会检查该cookie.如果它不存在，那么您将被重定向到登录名.

We have a web application that runs on a IIS6 ASP.Net server. You must be logged in to use the software. Basically when you login a cookie is generated then when you visit subsequent pages they check for that cookie; if it is not there then you are redirected to login.

我们希望使用Linux/PHP(LAMP)实现MediaWiki服务器，以便为用户提供维基"格式的帮助部分.但是，我们只允许登录该软件的人员访问.

We want to implement a MediaWiki server using Linux/PHP (LAMP) to provide a "wiki" formatted help section for our users. However, we want to only allow access from people that are logged in to the software.

因此，您拥有Software.company.com(Windows/IIS6/ASP.NET服务器)，您可以登录并导航到我们的帮助，该帮助将您重定向到kb.company.com(Linux/Apache/PHP服务器).

So we have software.company.com (Windows/IIS6/ASP.NET server) that you login and navigate to our help which redirects you to kb.company.com (Linux/Apache/PHP server).

我的想法是在Linux服务器上使用相同类型的"cookie"检查，但是我不确定如何使Windows IIS框将令牌或其他内容传递给Linux服务器，说嘿，这个用户是登录，以便为他们生成Cookie."

My thoughts are to use the same sort of "cookie" checking on the linux server, but I'm not sure how to get the Windows IIS box to pass a token or something to the Linux server saying "hey this user is logged in so generate a cookie for them".

有人这样做吗?我可能会完全想念我的船...

Anyone do anything like this? I may be completely missing the boat in my thinking...

推荐答案

这里的问题是关于如何告诉kb.company.com站点入站用户已经过真实身份验证并登录到support.company.com.

The problem here is about how to tell the kb.company.com site that the inbound user is genuinely authenticated and logged into support.company.com.

我们有一个非常相似的设置.我们有一个转销商门户，还有一个私有的知识库Wiki网站.

We have a very similar setup. We have a reseller portal and we have a private knowledgebase wiki site.

要将用户转移到Wiki网站，我们有一个特殊的链接，该链接请求support.company.com上的页面，该页面会生成数据块和一个会话密钥(例如一个或两个GUID)，并保留到会话转移"中"这两个站点都可以访问的数据库表.

To transfer users over to the wiki site we have a special link that requests a page on support.company.com which generates a blob of data and a session key (for example a guid or two) that is persisted to a "session transfer" database table that's accessible to both sites.

然后我们使用此密钥将用户Response.Redirect()转到Wiki网站，例如:

We then Response.Redirect() the user to the wikisite with this key, for example:

http://kb.company.com/DoLogin.aspx?session=E97DDE8D-1C57-4450-ABE4-72E2054A1C82

在Wiki中(我们稍微修改了ScrewTurn Wiki)，我们启用了表单身份验证，并拒绝对匿名用户的访问. DoLogin.aspx从查询字符串中获取session值，然后查找存储在会话传输"表中的记录.如果存在匹配项，我们将对用户进行身份验证并删除会话转移记录.

In the wiki (we modified ScrewTurn wiki slightly) we have Forms Authentication turned on and deny access to anonymous users. The DoLogin.aspx grabs the session value from the query string and then looks for the record stored in the "session transfer" table. If there's a match then we authenticate the user and delete the session transfer record.

会话传输记录也带有日期和时间戳，允许使用90秒，此后清除任务将删除该记录.

The session transfer record is also date and time stamped and is allowed a lifetime of 90 seconds after which a cleanup task will delete the record.

您可以通过cookie域将其设置为company.com的cookie，而不是通过querystring传递会话密钥值:

Rather than pass the session key value via the querystring you could pass this via a cookie where the cookie domain is set to company.com:

HttpCookie cookie = new HttpCookie("session", "<guid>");
cookie.Domain = "company.com";

进一步的修饰是对cookie值进行加密以进行一些哈希处理，并在传输的另一端检查篡改.但是，我们Wiki中的内容并不是非常有价值(最终用户都不能编辑这些内容)，我们只是想避开偶然的路人，这对我们来说很好.

Further embellishments would be to encrypt the cookie value do some hashing and check for tampering on the other side of the transfer. However the content in our wiki isn't terribly valuable (none of it is editable by the end user), we just wanted to keep out casual passer's by, and this works just fine for us.

这篇关于来自Public Access的Secure MediaWiki在Linux PHP上对Windows ASP服务器进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！