开发者

Single Sign On & Sign Out Problem in ASP.NET

开发者 https://www.devze.com 2023-01-05 20:38 出处:网络
Site Details which uses the single sign on, 1. http:\\\\webgate.abcltd.com 2. http:\\\\sales.abcltd.com

Site Details which uses the single sign on,

1. http:\\webgate.abcltd.com
2. http:\\sales.abcltd.com
3. http:\\emp.abcltd.com

webgate application does the authentication and authorization. others(sales,emp) uses the webgate application. when any one access the any page from sales/emp site, they will be redirected to webgate's login page(here i have used form authentication. the configurations are below)

<authentication mode="Forms">
    <forms loginUrl="Login.aspx" 
           protection="All" 
           name="WebGateSecurity" 
           path="/" 
           domain="abcltd.com"
           defaultUrl="ApplicationList.aspx"
           enableCrossAppRedirects="true"/> 
</authentication> 
<authorization>   
<deny users="?" /> 
</authorization> 
<machineKey validationKey="2C0904BC344116CC6FFD3DD7087C942878C41B7F861555651E69C7B72F9A7DF6BC3B63BFF0F1438DFB863EE3EAC62CBFFECA7482D3758888E7CDACDBBAE136D5" decryptionKey="A60EC9E480CB3BBC48D1D2B7FFF9E945FBA46196AD3029187022ADE8F7B99B25" validation="SHA1" decryption="AES" />

User credentials is validated against the data store and the authentication ticket/cookies are being created as below

var authTicket=FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddMinutes(30), false, userActions, FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
var authCookie = new HttpCookie(FormsAuthentication.FormsCoo开发者_StackOverflowkieName, encryptedTicket);
Response.Cookies.Add(authCookie);

If the given credentials are correct, i am tring to redirect to requested url as below

if (Request.Params["ReturnURL"] == null || Request.Params["ReturnURL"].EndsWith("/Logout.aspx") || Request.Params["ReturnURL"].EndsWith("/Error.aspx"))
     Response.Redirect(FormsAuthentication.DefaultUrl);
else
{
     //Response.Redirect(FormsAuthentication.GetRedirectUrl(username, false));
      FormsAuthentication.RedirectFromLoginPage(username, false);
}

I have used the LoginStatus Control(placed in master page) which is let the user to perform the sign in/sign out from webgate app. When user sign out, the following code will be executed in order to remove the cookie.

protected void LoginStatus1_LoggingOut(object sender, LoginCancelEventArgs e)
{
    FormsAuthentication.SignOut();
    HttpCookie httpCookie = Request.Cookies[System.Web.Security.FormsAuthentication.FormsCookieName];
    if (httpCookie != null)
    {
        httpCookie.Domain = "abcltd.com";
        httpCookie.Expires = DateTime.Now.AddDays(-1);
        Response.Cookies.Add(httpCookie);
    }
}

Configuration in other applications(sales and emp) are follows

<authentication mode="Forms">
  <forms loginUrl="http://webgate.abcltd.com/Login.aspx" name="WebGateSecurity" protection="All" path="/" domain="abcltd.com" />
</authentication>
<authorization>
  <deny users="?" />
</authorization>
<machineKey validationKey="2C0904BC344116CC6FFD3DD7087C942878C41B7F861555651E69C7B72F9A7DF6BC3B63BFF0F1438DFB863EE3EAC62CBFFECA7482D3758888E7CDACDBBAE136D5" decryptionKey="A60EC9E480CB3BBC48D1D2B7FFF9E945FBA46196AD3029187022ADE8F7B99B25" validation="SHA1" decryption="AES" />

My problem is: sign out is not working. In details if i say: after sign out, i able to access the any pages from webgate,sales and emp application.

Please help me.


That's because you are using a different domain name in web.config:

domain="vrxstudios.com"

and

domain="abcltd.com"

so no single sign on possible. In your sign out method you cannot remove a cookie that belongs on abcltd.com from vrxstudios.com:

if (httpCookie != null)
{
    httpCookie.Domain = "abcltd.com"; // this is not possible from vrxstudios.com
    httpCookie.Expires = DateTime.Now.AddDays(-1);
    Response.Cookies.Add(httpCookie);
}

What you could do is redirect to a sign out page on abcltd.com which will do the job.

0

精彩评论

暂无评论...
验证码 换一张
取 消