Now let see what is happening in our projects. I have a web
site, Aspalliance1, which has a "Login.aspx"
as its login page. Users can be authenticated here in that page. In this web
site there is also a web page named "Default.aspx" which has just a
header and some text and also a link to Aspalliance2
web site. You will see that once the user has been logged in, it can navigate
cross other web sites without re-login needed. There is also a web page "Encryption.aspx"
which has two buttons to encrypt or decrypt the configuration files.
As I said before, you can have cross application login with
a little bit of configuration in your web configuration file. In web.config file
there is an element under configuration section which named <system.web>.
We are going to set some configuration here inside <system.web> section.
We just need to add <machineKey> section with its value inside
<system.web> element. <machineKey> has there attribute and I am
going to set them. The first one is validation which specifies the type of
encryption used for validation. validationKey specifies the key used for
validation of encrypted data and decryptionKey specifies the key that is used
to encrypt and decrypt data or the process by which the key is generated.
Listing 1: Setting machineKey element in web.config
<machineKey
validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF
21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"
decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"
validation="SHA1"/>
The demonstrated code is not encrypted, and it will not be published
on the server. Because of security it is important to encrypt the <machineKey>
configuration section and publish it to the server. You can see encrypted
<machineKey> element in Listing2.
Listing 2: Encryped machineKey element in
web.config
<machineKey configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>
lm3mfPX/94Zm3HgdbsmKiIxbrWM14t3/ugxs40BFOAHbIaCtwQ3gVQusFtOFVUoNVny01kgBCeh10rVEId
djNZ/8luBNoCbHm8OLjgPLHVrT+G0c/LRpESJk2ni/Jy2sWKXlgejgSQ1W5NE53GZtG3s9hu+nk4OWxntS
6z3v7AM=
</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>
BCEGUV/dh1Imbcm5vn0Kn8NrD+EX+KemenR7x+VekwT1ZO6y5+jRyF4RDWMJCfJ1jHC36+MAfCdHuXN0rP
B6hu5YUtX9VA5q5N0NGrs9AIpG+0ihuuS3HDzQe3P6nlI30m1h0pmL1yJBovY0i6fbCA6++GT2MdwCLERk
+PVWmoq7p1q97n5pNzNqhVKCX45lhS5ySVS+MjJXVeTrcatftpvaUcjLsNcL2kMerzf5w/SU3AbLEuY04w
dgYWX5tWzxqeUcghdlWLD0tQi8qyyfVfzXPYozR5sspWHdgqmAycrACHN2dcONWPjT4BanRWb1ouKuP8K+
0CEFE/Hj2ChpYw==
</CipherValue>
</CipherData>
</EncryptedData>
</machineKey>
You can encrypt your configuration files using Configuration
and SectionInformation classes. Let us write some code in order to encrypt or
decrypt your <machineKey> section. SectionInformation class has a method
ProtectSection() which gets an string representing the Protection Provider like
"RSAProctedConfigurationProvider" and encrypt the section. There is
also a Boolean property ForceSave which has to be true when wanted to save the
configuration file with save method of configuration class. Here is the code of
"Encryption.aspx" web page which has two buttons to encrypt and
decrypt the configuration file.
Listing 3: Encryption code on web configuration
file
protected void btnEncrypt_Click(object sender, EventArgs e)
{
try
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(
"/Aspalliance1 ");
ConfigurationSection machineKeySection = config.GetSection(
"system.web/machineKey");
machineKeySection.SectionInformation.ProtectSection(
"RSAProtectedConfigurationProvider");
machineKeySection.SectionInformation.ForceSave = true;
config.Save();
Response.Write("<h2 style='color:red'>Encryption Succeed</h2>");
}
catch (Exception ex)
{
Response.Write("<h2 style='color:red'>Error while encrypting</h2><br/>");
Response.Write(ex.Message);
}
}
Listing 4: Decryption of web configuration file
protected void btnDecrypt_Click(object sender, EventArgs e)
{
try
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(
"/Aspalliance1 ");
ConfigurationSection machineKeySection = config.GetSection(
"system.web/machineKey");
machineKeySection.SectionInformation.UnprotectSection();
machineKeySection.SectionInformation.ForceSave = true;
config.Save();
Response.Write("<h2 style='color:red'>Decryption Succeed</h2>");
}
catch (Exception ex)
{
Response.Write("<h2 style='color:red'>Error while decrypting</h2><br/>");
Response.Write(ex.Message);
}
}
Now you have to set some configuration in this web site.
First you have to change loginUrl of your <forms>
section, which will be used to redirect an anonymous user to "Login.aspx"
web page. But this time it will redirect users to "Login.aspx" page
in Aspalliance1 web site.
Listing 5: Setting authentication element in
web.config
<authentication mode="Forms">
<forms loginUrl="http://localhost/Aspalliance1/login.aspx" name=".ASPXAUTH"/>
</authentication>
The most important part of our article is that if you wan to
implement cross application login in your web sites, you must have two or more
web sites with the same <machineKey> configurations. So I just copy and
paste the <machineKey> section of Aspalliance1 web site to Aspalliance2
web site. Now it is ready and you can just test you web sites.
Listing 6: Setting machineKey element in web.config
<machineKey
validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF
21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"
decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"
validation="SHA1"/>