Use the "machineKey" section in the web. config file to implement Single-point logon 1

Summary
In this article, Masoud discusses the application of ASP. NET, including: Membership Providers, web. config configuration, configuration file encryption and decryption, etc. At the end of the article, the author provides a program verified by ASP. NET login controls.
Introduction

Generally, when you want to implement ASP. NET web application authentication, you need to create a login page for each application. Imagine that if you have two or more associated web applications, you may want to display only one logon page for all your associated applications through some mechanism. In this way, once you log on once, you can browse all associated programs without any additional logon. Single Sign-On (SSO) is an access control mechanism that allows a user to access all software system resources through one verification.

Imagine that you have created two or more web sites on your server. Like other web sites, you only use the ASP. NET permission verification mechanism to verify your users. Therefore, you may need one or more logon pages for these sites. Now you are trying to prove how to achieve cross-program login by changing your configuration. In other words, we only want to configure a login page for our program, and once the user passes the verification, he can browse all other sites without another login. In the appendix of this article, you can also see how to encrypt your configuration file.

What is single sign-on? How does it work?

In many companies, they have systems that use web sites or web applications as the presentation layer. Naturally, they will need to implement permission verification and permission verification systems through Membership Provider and Role Provider or custom Based on ASP. NET 2.0. By default, all sites have a login that determines whether the user's ID and password are valid in the database. aspx "web form. when you only have one site or these sites are running independently, it is no problem to do so. But when you have two or more sites that are associated or linked together, you may ask: Why do you have to log on to each application once? Why can't you implement verification with only one "login. aspx" and truly unify all unrelated programs. Fortunately, in ASP. NET 2.0, you can use the same configuration to achieve cross-application access, whether it is your new site or an existing site.

In ASP.. NET configuration file (web. config. (IN web) is named <machineKey>, which is used to encrypt and decrypt the cookie data and view-state data for permission authentication of forms (these forms can read form permission verification cookies, it is also responsible for verifying the out-of-process session Status identifier. Therefore, once the user passes the verification and a cookie is saved to the local computer, other applications with the same <machineKey> configuration can also identify this cookie as a valid Permission ticket. Therefore, the second login is no longer required in other applications with the same <machineKey> configuration.

Because the <machineKey> information is sensitive, you need to encrypt the information in the configuration file. To achieve this goal, I will use the ConfigurationManager class and its methods. There is also a class of SectionInformation, which contains the metadata of a single configuration section in the configuration. There is a method ProtectSection () in this class to decrypt the configuration section of your configuration file.

System Conditions

· A web server running on Windows 2000 or later

·. NET Framework 2.0

· Visual maxcompute 2005

· Microsoft SQL Server 2005 Express Edition

Now let's take a look at what happened in our project. I have a site (Aspalliance1) that contains a logon page "Login. aspx". You can use this page to verify permissions. There is also a page called "Default. aspx" in this site, which has a header and some text, and a link to the Aspalliance2 site. You will see that once this user logs on, he can navigate to other sites without the need for a second login. There is also a page "Encryption. aspx" with two buttons for Encryption and decryption to encrypt and decrypt the configuration file.

As I said before, you can achieve cross-application access by clicking a small configuration in your web configuration file. In the web. config file, there is a configuration section named <system. web>. We will make the same configuration for <system. web>, just put the configuration section <machineKey> and its value in the <system. web> Configuration section. <MachineKey> there are some attributes that I will configure. First, specify the encryption type used for verification. ValidationKey defines the key used to verify and decrypt data. decryptionKey defines the key used to encrypt and decrypt data, or the key generation process.

Listing 1: Configuring machineKey in web. config
<MachineKey
ValidationKey = "282487e295028e59b8f411acb689ccd6f39ddd21e6055a3ee480415315994760adf
21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"
DecryptionKey = "8b6697227cbca902b1a0925d40faa00bda-f2df4359d2099"
Validation = "SHA1"/>