SiteB中可以限制访问只有经过身份验证的网站A的用户？怎么样？ [英] Can SiteB Restrict Access Only to Users Authenticated on Site A? How?

问题描述

我最近一直在要求估计一个作品，这将提供功能用于身份验证的用户访问我们的网站。问题是，用户在不同的网站和放大器验证;域我们是东道主之一。

I have recently been asked to estimate a piece of work which will provide functionality for authenticated users to access our site. The thing is, the user has to authenticate on a different site & domain to the one we are hosting.

用户的身份验证和SiteA.com他们提供了一个链接到我们的网站，网站B。只有谁对站点A认证的用户被允许访问SiteB.com。

The user authenticates on SiteA.com and they are provided with a link to our site, SiteB. Only users who have authenticated on SiteA are allowed to access SiteB.com.

我还不知道什么是认证系统站点A正在使用，但我想我会问社会为一些初步想法。这甚至可能？我需要什么考虑？

I don't yet know what authentication system SiteA is using, but I thought I'd ask the community for some initial thoughts. Is this even possible? What do I need to consider?

感谢

推荐答案

单点登录是可以使用的表单验证。具体操作步骤如下：

Single Sign On is possible using Forms Authentication. Here are the steps:

1. 配置两个站点窗体身份验证和设置的相同 机键（这是第4步很重要）。


2. 用户的身份验证和SiteA.com一个cookie发出他在这个网站。


3. 伪造的站点A的链接，会后载SiteB.com在一个隐藏字段添加到页面中的身份验证Cookie值，不需要身份验证（请确保您只张贴了HTTPS）的形式。


4. 在SiteB.com页面读取贴标记的值，使用的 FormsAuthentication.GetAuthCookie


5. 重定向到SiteB.com的认证部分

1. Configure both sites for forms authentication and setup same machine keys (this is important for step 4).
2. User authenticates on SiteA.com and a cookie is issued for him on this site.
3. Forge a link on SiteA that would POST a form containing the authentication cookie value in a hidden field to a page on SiteB.com that doesn't require authentication (make sure you post only over HTTPS).
4. The page on SiteB.com reads the value of the posted token, decrypts it and issues an authentication cookie for SiteB.com using FormsAuthentication.GetAuthCookie
5. Redirect to the authenticated part of SiteB.com

这篇关于SiteB中可以限制访问只有经过身份验证的网站A的用户？怎么样？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！