Title:
Gr8
Name:
Ravi
Date:
7/28/2008 2:43:18 AM
Comment:
Can we implement this on windows authentication
|
Title:
Need help
Name:
Satyen
Date:
6/13/2008 5:25:18 AM
Comment:
I have an intranet solution that has 2 websites. Once i login to the first application then i should be able to go to the 2nd application and get the username buy which i can get data for application 2 ...please tell me how to do this. Both apps have a login page and are using forms authentication.The user need not login twice Please let me know how to do this?
|
Title:
Manager Application Development
Name:
Satyen
Date:
6/12/2008 3:58:40 AM
Comment:
Great help...
|
Title:
Author Comments
Name:
Masoud Tabatabaei
Date:
3/1/2008 1:57:04 AM
Comment:
About Tomcat, I don't have enough information, sorry.
About the SqlServer you need Microsoft SQL Server Express Edition to run the sample, and the sample has been tested many times and it 's ok.
|
Title:
Complain
Name:
Lê Văn Linh
Date:
2/27/2008 11:34:41 PM
Comment:
Demo can not connect to sql server ,it error about remote to to server,please check and fix,thanks
|
Title:
SSO on multiple websites
Name:
P.Ramprathap
Date:
2/12/2008 2:49:57 AM
Comment:
Its really intresting and iam planned to use it asap . but could you please let me know how to integrate it with other webserver like Tomcat
|
Title:
Good
Name:
Alireza Montazeri
Date:
2/9/2008 4:34:49 AM
Comment:
Hi Mr. Tabatabaei
this article is very important and good.
I waiting for another your articles.
bye
|
Title:
MSDN article on the topic
Name:
smokopilomidanek
Date:
2/8/2008 9:23:56 AM
Comment:
The MSDN article covers it all in more detail: http://msdn2.microsoft.com/en-us/library/ms998288.aspx#paght000007_sharingauthenticationtickets
|
Title:
SSO on multiple websites
Name:
Dave
Date:
2/1/2008 6:10:44 PM
Comment:
Maybe i'm missing something. When I have several websites working together let's say on example1.org, example2.net and example3.com. Because of the different domains example1.org cannot read the cookie of example3.com.
There are even browsers out there which don't even allow sub1.example.com to query cookies for sub2.example.com.
So it's nice that using same machine on several webservers make it possible to 'understand' each other cookies, but the other website will NEVER receive those cookies, because they aren't part of the request headers.
This problem was created somewhere in 1996/1997 when *bad* people started to abuse cookies from other domains using javascript. Microsoft had an even bigger issue with VBScript which was able to access the harddrive and read the cookie files. Nowadays browsers uses sandboxes and using domain scopes to secure the browser and the privacy of the user.
MS Passport is a SSO service. You register once, but can use the credentials on multiple websites.
A workaround is using an automated login page which receives the ProfileID, SessionID and an HMAC generated checksum using password authenticated user as the key. On the targeted website you perform the same checksum generation and when the checksums match, you can set the SessionID.
|
Title:
Answer to some questions
Name:
Masoud Tabatabaei (Author)
Date:
2/1/2008 3:33:02 PM
Comment:
First About ASP.Net 1.1 and 2.0: Yes, you can use it when you have two or more web sites with ASP .NET 1.1 or 2.0.
Jim has asked about SubDomains. It works for each and every web site with the same MachineKey information.
Samit Kumar and Galip Gulsen had problem with login, It's because probably you are not use Microsoft SQL Server 2005 Express Edition and our membership database is working with that.
Muhammad Adnan is asking about what will happen if you disable your cookie? You know the behavior of Membership will still be the same but using the MachineKey config section will help you when your Membership provider is OK.
About the session, normally you will not share information of each application session within the others, but anyway if your are insist of doing that, you can reach that by implementing a Session-State Store Provider.
Finally, thanks for Dave Black comment about Query Strings.
|
Title:
Login Problem
Name:
Samit Kumar
Date:
2/1/2008 2:44:23 AM
Comment:
This Login page is not working.Its not a valid userid and password.
|
Title:
Problem with login
Name:
Galip Gülsen
Date:
2/1/2008 2:34:19 AM
Comment:
I have used the sample code in this site. But, I can't login with the given data, there comes always an error. This happens also in my code.
Best regards.
|
Title:
informative but incomplete solution
Name:
Muhammad Adnan
Date:
2/1/2008 12:25:30 AM
Comment:
its informative somehow but doesn't provide complete solution for SSO. what would be in case of cookie get disable at client side and what about session management (out proc/sql server based)
anyhow its good article. keep it up man :)
|
Title:
Theres better
Name:
NA
Date:
1/31/2008 10:05:30 PM
Comment:
Still have the problem of sessions. Sessions do not go from app to app. We have a portal app with numerous other apps tied to it. We were able to do what you did in half the code and not pass anything in the URL except for a GUID from app to app.
|
Title:
ASP.Net 1.1 and 2.0
Name:
Oran
Date:
1/31/2008 1:08:13 PM
Comment:
Can this work with a main dashboard website in asp.net 2.0 that has links to asp.net 1.1 websites?
|
Title:
Query Strings
Name:
Dave Black
Date:
1/31/2008 12:44:27 PM
Comment:
Just an important note: Query Strings are not secure EVEN when using SSL!
Plus if IIS Logging is setup on the webserver, every request, including the query sring is logged in a clear text file!
|
Title:
What about when the domain changes?
Name:
Jim
Date:
1/31/2008 10:33:09 AM
Comment:
Something like http://myintranet/app provides a link to https://www.myextranet.com?
|
Title:
Query String
Name:
Masoud Tabatabaei
Date:
1/31/2008 2:32:10 AM
Comment:
About the query string you have to use it whenever the is not problem to show it to users. I mean no secure data has to be in query strings. There are also other ways to manipulate state data in ASP.NET which is more secure and will not shown to users. Use hidden field or view state if it 's just the ID and you just want to hide it but notice that ViewState and HiddenField still can be read by pro users. Also you can use Server Side State Management for more security.
|
Title:
Excellent
Name:
shafaqat
Date:
1/31/2008 12:11:47 AM
Comment:
its a very good article and really helpful.
But i have another issue but it is not related to this article
consider this querystring http://localhost/abc/page.aspx?ID=10
i m saving some xyz data against this id, but if user changes this id to 20 data will b saved against id 20
so is there any machanism to hide id in query string
|
Title:
Thankyou
Name:
Jan Eirik
Date:
1/30/2008 6:41:10 PM
Comment:
Thank you so much for writing this article. This is exactly what I need for the admin and portal part of a school project I'm working on atm. Great stuff!
|
Title:
about the U key
Name:
gowhere
Date:
1/30/2008 4:34:03 AM
Comment:
actualy,I want to know of the U key login principle which likes the U disk insert into the plugin and then login.
I don't think I say clearly :)
|
Title:
SSO on across a network of Web servers
Name:
Masoud Tabatabaei
Date:
1/29/2008 12:06:05 AM
Comment:
Yes, If you need to support configuration across a network of Web servers (a Web farm), set the ValidationKey & DecryptionKey property manually to ensure consistent configuration.
|
Title:
Test
Name:
Test
Date:
1/28/2008 12:08:25 PM
Comment:
Does this work if the sites are hosted on different servers?
|
Title:
Nice article
Name:
AH
Date:
1/16/2008 2:09:27 AM
Comment:
I'm sure quite a few people are in need of such a solution.
|
