开发者

One application, different domains: how to preserve sessions on ASP.NET?

开发者 https://www.devze.com 2022-12-24 11:33 出处:网络
I have an application with different sections. Each section is accessed through a domain. 开发者_如何学运维Example: www.section1.com, www.section2.com, www.section3.com. I need to preserve the session

I have an application with different sections. Each section is accessed through a domain. 开发者_如何学运维Example: www.section1.com, www.section2.com, www.section3.com. I need to preserve the session when the user navigates from one to another URL. The application is the same in IIS. How to accomplish that?


You will need to pass on the session-cookie, and re-set that cookie on the new domain. That will make the session live over several domains (assuming you use the same app).

Example:

Link from section1.com:

<a href="http://www.section2.com/?s=askdjh3k4jh234kjh">

then, OnSessionStart (or OnRequestStart) check for query-parameter s and attach session to it. Meaning, just manually set cookie ASP.NET_SESSIONID to the value you pass on.

This has severe security-implications, so don't allow this unless you know what you're doing. another solution might be to store something into a common backend (database?) and pass around the user with a token that represents the actual session (and set the cookie based on that token), that you generate on a middle-page when navigating away from section1.com -> transferusertonewdomain.aspx -> section2.com/?token=randomTokenThatMatchSessionInDatabase

That would prevent that anyone could hijack a session by jsut knowing the value of the cookie. However, that is possible never the less if you're somewhat familiar with a computer anyway.


If you have multiple domains (and not just subdomains, which are easier), you're going to have more complications doing this than you'd like, because you can't share cookies across different domains.

The usual workaround is to embed a link an image on the other domains that are served by an asp.net page (or HttpHandler if you like). That page should contain a querystring with a unique token and a hashed version of that data appended with some shared secret. Then, that page will set a cookie on the response appropriate to for that domain to associate itself with appropriate data. It will serve typically a 1x1 transparent image as the response. Usually you only want to do this upon login to one of the sites.


Unless you do some customizations, session is specific to an application regardless of session mode you are using. Here's an article that talks about how to customize SQL session so that you can use session across multiple applications.


You should start by change the sessionState from being "InProc" to either StateServer or SqlServer, ensure that the MachineKeys are identical across all sites (domains and servers), and then set up the relevant backend systems to capture the state information.

More information can be found on:

Session-State Modes

ASP.NET State Management Overview


You could use a cookie to pass it, still researching to find out how. I will repost.

** EDIT

There is another Stack Overflow question, see if it helps, 315132

It basically asks

I need to share SSO information between two different domains with a cookie, can this be done in PHP and how?

the answer given was

On both domains, place an image or other web element that is pulled from the other domain. Use the URL to notify the other domain that user X is on domain A, and let domain B associate that user ID with that user on their system.

It's a little complex to carry out correctly, but if you think it through it'll work out very well.

Vinko points out in a comment (thanks!) that I shouldn't take it for granted that you understand the security risks involved. If this information is of any value to anyone, then you should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc). This shouldn't be too onerous since you control both websites and you can select a secure secret key for both, since the communication is only going between the two servers via this special URL. Keep it in mind though.

The user is Adam Davis.

0

精彩评论

暂无评论...
验证码 换一张
取 消