[. Net role-based security authentication] 5: Forms authentication across applications

Msdn documentation

MS-help: // Ms. msdnqtr. v80.chs/ms. msdn. v80/ms. visualstudio. v80.chs/dv_aspnetcon/html/99e2f9e8-5b97-4a4d-a4ed-5f93276053b7.htm

ASP. NET supports Forms authentication in a distributed environment (multiple applications across a single server or in a network farm. If forms authentication is enabled across multiple ASP. NET applications, users do not need to perform authentication again when switching between applications.

To configure Forms authentication across applications, set several attributes in the forms and machinekey configuration sections so that the values are the same for all applications involved in shared forms authentication.

The following example demonstrates the authentication section of the web. config file. Unless otherwise specified, the attributes of name, protection, path, validationkey, and decryptionkey must be identical in all applications. Similarly, the encryption and verification keys used for cookie data and the encryption scheme must be identical. If the settings do not match, the cookie cannot be shared.

Web. config

<Configuration>
<System. Web>
<Authentication mode = "forms">
<! -- The name, protection, and path attributes must match
Exactly in each web. config file. -->
<Forms loginurl = "login. aspx"
Name = ". aspxformsauth"
Protection = "all"
Path = "/"
Timeout = "30"/>
</Authentication>

<! -- Validation and decryption keys must exactly match and cannot
Be set to "autogenerate". The validation algorithm must also
Be the same. -->
<Machinekey
Validationkey = "c50b3c89cb21f4... Be"
Decryptionkey = "8a9be8fd67af6979e7d20198cfea50dd3d3799c77af2b72f"
Validation = "sha1"/>
</System. Web>
</Configuration>

After a cookie is sent, the expiration time of the cookie is tracked based on the expires value in the cookie itself. This means that if two applications have different timeout attributes, the expiration date and time set when each cookie is initially issued will be retained throughout the cookie lifecycle. When a cookie is updated, the original expiration time of the cookie is used to calculate the new expiration time. The unique time for configuring the timeout value is the time when the cookie was initially created.

-----------------------------------------------------

Rain marks supplement

According to the above operations, we can implement "cross-application forms authentication" in the network field of one or more servers. This is a bit "Single Sign On (SSO, Single Sign on) ", but pay attention to the following points.

1. if you use a new browser form to open another application website, you must create a persistent cookie (cross-browser session to save the cookie) to share the login information among multiple applications.
(The "new browser form" is a bit closed, that is, this form is not a pop-up from the original browser, but a new process opened using shortcuts .)

Formsauthentication. redirectfromloginpage ("username", true );

2. Create a machinekey.

Using system. text;
Using system. Security. cryptography;

Public class machinekey
{
Const int validationkeylength = 64;
Const int decryptionkeylength = 24;
Private rngcryptoserviceprovider RNG = new rngcryptoserviceprovider ();

Public String generatekey ()
{
Return string. format ("<machinekey validationkey =/" {0}/"/R/ndecryptionkey =/" {1}/"/R/nvalidation =/" sha1/"/> ",
Bytestohex (generatekeybytes (validationkeylength), bytestohex (generatekeybytes (decryptionkeylength )));
}

Private byte [] generatekeybytes (int cb)
{
Byte [] rnddata = new byte [CB];
RNG. getbytes (rnddata );
Return rnddata;
}

Private string bytestohex (byte [] key)
{
Stringbuilder sb = new stringbuilder ();

For (INT I = 0; I <key. length; ++ I)
{
SB. append (string. Format ("{0: X2}", key [I]);
}

Return sb. tostring ();
}
}

Usage

Protected void page_load (Object sender, eventargs E)
{
Response. Write (httputility. htmlencode (New machinekey (). generatekey ()));
}