窗体身份验证RETURNURL和子域的单点登录 [英] Forms Authentication ReturnUrl and subdomain for single sign-on

问题描述

我有一个域 http://abc.com 和子 http://sub.abc.com 。我通过共享窗体身份验证cookie实现单点登录的两个站点之间。这是通过两个站点共享的validationKey和decryptionKey中的machineKey实现的。

当用户点击中我希望用户在根域认证并重定向到子子域的页面。用户被重定向到目前登录页面，但RETURNURL要重定向到根网站。

例如。当前位置： http://abc.com/login.aspx?ReturnUrl=%2fsecure%2fdefault.aspx

但我想： http://abc.com/login.aspx?ReturnUrl=http:%2f%2fsub.abc.com%2fsecure%2fdefault.aspx

如何才能实现这一目标？

在我的子域的web.config我已经配置像这样AUTH目前：

 ＆LT;身份验证模式=表格＆GT;
  ＆LT;ASPNET形式的名称= loginUrl =htt​​p://abc.com/login.aspx保护=所有超时=1440路径=/域=abc.comenableCrossAp predirects =真/＆GT;
＆LT; /认证＆GT;
 

解决方案

我解决了这个由我的子域在我的形式元素设置一个查询字符串：

 ＆LT;身份验证模式=表格＆GT;
    ＆LT;ASPNET形式的名称= loginUrl =htt​​p://abc.com/login.aspx?returnsite=sub保护=所有超时=1440路径=/域=abc.com enableCrossAp predirects =真/＆GT;
＆LT; /认证＆GT;
 

然后在我的主要网站我AUTH code，我检查该查询字符串。如果它存在我建立通过追加我的子域的RETURNURL重定向URL。

这returnsite查询字符串真的只是充当我需要重定向到一个已知子否则将与刚刚的redirectUrl为当前域工作的标志。这应该（理论上）prevent跨站点脚本。

I have a domain http://abc.com and a subdomain http://sub.abc.com. I'm implementing single sign-on between the two sites by sharing the forms authentication cookie. This is implemented by having both sites share the validationKey and decryptionKey in the machineKey.

When the user hits a page in the subdomain I want the user authenticated in the root domain and redirected back to the subdomain. The user is redirected to the login page currently but the ReturnUrl wants to redirect to the root site.

Eg. Currently: http://abc.com/login.aspx?ReturnUrl=%2fsecure%2fdefault.aspx

but I want: http://abc.com/login.aspx?ReturnUrl=http:%2f%2fsub.abc.com%2fsecure%2fdefault.aspx

How can this be achieved?

In my subdomain's web.config I have the auth configured like this currently:

<authentication mode="Forms">
  <forms name=".ASPNET" loginUrl="http://abc.com/login.aspx" protection="All" timeout="1440" path="/" domain="abc.com" enableCrossAppRedirects="true" />
</authentication>

解决方案

I solved this by setting a querystring in my forms element from my subdomain:

<authentication mode="Forms">
    <forms name=".ASPNET" loginUrl="http://abc.com/login.aspx?returnsite=sub" protection="All" timeout="1440" path="/" domain="abc.com" enableCrossAppRedirects="true" />
</authentication>

Then in my auth code in my main website, I check for that querystring. If it exists I build the redirect url by appending my subdomain to the returnurl.

That returnsite querystring is really only acting as a flag that I need to redirect to a known subdomain else it will work with just the redirecturl to the current domain. This should (in theory) prevent cross site scripting.

这篇关于窗体身份验证RETURNURL和子域的单点登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！