Cross-application Single Sign-On (same as main domain) in ASP. NET)

Introduction

For most Web ApplicationsProgramMany people prefer form verification. When many applications run in multiple subdomains under a primary domain, single sign-on is a good option. After you log on to www.exapmle.com, you can access resources of everything.example.com.

Form verification does not support this feature by default, but it is not complicated to adjust it by appropriate methods.

ASP. net form verification is not complicated: it creates a special cookie named by the web. the name definition of the forms element in config. It contains encrypted authentication data. The default name of this cookie is. aspxauth.

Cookies are associated with host names by default for privacy and security reasons. However, the cookie mechanism supports accepting the cookie of a host in the domain of the host, which means that the cookie of the host server1.example.com can be used throughout example.com.

You can set cookies for second-level and third-level domains, but do not allow cookies for top-level domains. For example, setting. com cookies is not allowed.

Next, let's start setting up to see what work is needed.

Start setting

Like other applications, you must first set authentication in system. Web. For example:

< Authentication Mode = "Forms" >
< Forms Name = "Domainloginauth" Loginurl = "Http: // weblogin/default. aspx"
Protection = "All" />
</ Authentication >

 

As mentioned above, the authenticated cookie is encrypted, and the encrypted seed is randomly generated. When multiple servers are required to work together, the same encryption seed is required. Add the following section to system. Web:

< Machinekey
Validationkey = "Bd52058a3dea473ea99f29418689528a494df2b00054bb7c"  
Decryptionkey = "684fc9301f404de1b9565e7d952005579e823307bed44885"  
/>

If des is used for encryption, 16 hexadecimal symbols are used. If sha1 is used for encryption, 48 hexadecimal symbols are used. ASP. NET uses sha1 for encryption by default.

Start logon Verification

The domain information must be appended to the cookie before the verification cookie is sent to the customer,Code(Assume that the user name and password have been verified and are stored in the username variable ):

1 Httpcookie authcookie = Formsauthentication. getauthcookie (username, False );
2 Authcookie. Domain =   " Example.com " ;
3 Response. Cookies. Add (authcookie );
4 Response. Redirect (formsauthentication. getredirecturl (username, False );

Cancel

Generally, you do not need to perform any settings when logging out. You only need to call formsauthentication. signout (), but this function cannot process domain cookies.
Therefore, you should manually delete this cookie. The only way to manually delete this cookie is to set the cookie expiration time to the past time. refer to the following code:

Httpcookie authcookie = Request. Cookies [formsauthentication. formscookiename];
Authcookie. Domain =   " Example.com " ;
Authcookie. Expires = Datetime. Now. adddays ( - 1 );
Response. Cookies. Add (authcookie );

 

Now, your application can perform single-point logon.