I have several applications and one of them is a central application that manages authentication, and where a LogOn
page is imported from as an IFrame
to the other applications.
When the userName
and password
are correct, I create a cookie named userInfo
.
Now, in the current app, I want to check if the cookie of userInfo
exists. I think I should check it exists in the browser (in client side).
It must be possible, so how can I do it ?
Thanks in advance.
Cookies cannot be shared cross domain. If your applications are not hosted on the same domain you have to forget about this. It won't work because browsers (for obvious security reasons) do not send cookies cross domain. There are other ways to implement cross domain single sign on (see the second part of my answer).
Now let's suppose that your applications are on the same domain and you have multiple applications spread over different sub-domains of the root domain:
- login.foo.com
- app.foo.com
- xxx.foo.com
and you want to share authentication between those sub domains. All you have to do is specify set the domain
property in your web.config to the root domain:
<authentication mode="Forms">
<forms
loginUrl="https://login.foo.com"
requireSSL="true"
protection="All"
timeout="120"
domain="foo.com"
slidingExpiration="false"
name="sso" />
</authentication>
The same configuration should be applied to the web.config
of all applications. And that's pretty much all you need to do. Once the user is authenticated on one of the sub domains he will automatically be authenticated on the others thanks to the fact that cookies can be shared cross sub domains.
If you want to achieve cross domain single sign on then you will have to take a different approach. You could use the same machine keys between the different applications to encrypt the authentication token. Here are the steps:
- User navigates to
https://foo.com
and is presented with a Logon screen because he is not authenticated on this domain yet.
- The user authenticates and an authentication cookie is emitted and valid for the
foo.com
domain.
Now the user needs to go to https://bar.com
and be automatically authenticated on this domain. On some page on https://foo.com
you could create a form containing the value of the authentication cookie to be posted:
<form action="https://bar.com" method="post">
<input type="hidden" name="token" value="PUT THE VALUE OF THE AUTHENTICATION COOKIE HERE" />
<button type="submit">Go to bar.com</button>
</form>
- The user submits the authentication cookie to the
bar.com
. The script that receives this form submission reads the authentication token value that was posted and uses the FormsAuthentication.Decrypt
method to decrypt the authentication ticket and read the user name. Since both applications on foo.com
and bar.com
use the same machine keys, the ticket that was encrypted on foo.com will be successfully decrypted by bar.com
- The script at
bar.com
having extracted the authenticated username from the token, it emits a forms authentication cookie valid on bar.com
using the FormsAuthentication.SetAuthCookie
method.
- The user is now authenticated on
bar.com
The whole security of this model relies on the fact that SSL is used when POSTing the forms authentication token from foo.com
to bar.com
so the token cannot be captured by a man-in-the-middle and that both applications share the same machine keys for encrypting and decrypting those tokens.