2

This is sort of a two part question. So I'll start with the first which will lead into the second. I'm hosting a site at GoDaddy where at the root is the main web application. However in a sub-folder I have created a second web application. Both of which use Forms Authentication backed with ASP.NET Membership on a shared database. Meaning both are using the database aspnetdb. What I'm trying to accomplish is the ability to log into one and therefore be logged into both. A Single Sign On (SSO) if you will. What I have found so far is if the applications are on the same server (IIS instance) they therefore share the same MachineKey. From what I have found and from my understanding Forms Authentication uses the MachineKey to generate the Authentication Ticket. So therefore should be no modifications necessary as long as the application name for the Membership, Role and Profile providers match.

Am I accurate so far?

But I have not been able to get this to work. So I tried two other ideas with no prevail. I added the following to both Web.config files (separately, not together of course).

<machineKey decryptionKey="AutoGenerate" 
    validation="SHA1" validationKey="AutoGenerate" />

or

<machineKey
validationKey="93A258D47F48AF07AB8BE3EF56C9D32897B9C458F2E14DB6F9AA47D77E40F4CA763D4BD56C2900B507073023F4C43C583A1F7086C2DD327C879368B0449EFB10"
decryptionKey="6BE371E3CDE768B71D0D261370127BAE094984D207EFD4B55FB24384FE1795D1"
validation="SHA1" decryption="AES" />

Generated from http://aspnetresources.com/tools/machineKey

And an example Membership configuration

<membership 
    defaultProvider="SqlProvider"
    userIsOnlineTimeWindow="20">
    <providers>
        <remove name="AspNetSqlProvider" />
        <add name="SqlProvider"
            type="System.Web.Security.SqlMembershipProvider"
            connectionStringName="aspnetdb"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="true"
            passwordFormat="Hashed"
            applicationName="/" />
    </providers>
</membership>

So my first question, will this work and am I on the right track? Because I have not been able to get this to work.

The next question is, if this works and someone were to download an application and load it to their website. And, if in the application Web.config the MachineKey is specified, like the one generated above, and they leave the default application name, like '/', could this be a security risk? Meaning if person A loaded an app and person B loaded the same app could a user authenticate on one and therefore be authenticated on the second installation. Mind you person A and person B have no relationship other than they both loaded the same application and left it with the default settings.

References:

http://msdn.microsoft.com/en-us/library/ff649308.aspx

http://help.ablecommerce.com/faqs/ablecommerce_7/how_do_i_install_to_a_shared_hosting_environment_.htm

http://rtur.net/blog/post/2009/03/30/Using-machineKey-with-ASPNET-Membership.aspx

Using one Asp.net Membership database with multiple applications Single Sign On

[Update] - I'm determined to find the solution to this issue soon. If you are also search for a solution stay tuned...

Community
  • 1
  • 1
Jeff Willener
  • 749
  • 4
  • 9
  • Jeff, it was my understanding that the virtual directory would actually *inherit* the authentication settings of the parent. Have you tried it without specifying anything authentication-related in the web.config of the virtual directory (the child)? – mikey Oct 21 '11 at 16:48
  • Do you mean removing all references to Membership in the web.config for the secondary app? – Jeff Willener Oct 21 '11 at 16:49
  • It'll be a bit before I have time to try but will update result. – Jeff Willener Oct 21 '11 at 16:52
  • Actually, now that I think about it that breaks the intention of being able to log into either site and therefore be logged into both. :( – Jeff Willener Oct 21 '11 at 16:53
  • You're already wanting them to share the same aspnetdb and application name of / right? So essentially they are the same, you may be able to swing different login pages by specifying an authentication/forms tag in the web.config of the virtual directory. http://msdn.microsoft.com/en-us/library/ms178685.aspx http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx – mikey Oct 21 '11 at 16:57
  • Yep, same db and same app name. I see what you are saying now. One login page on root site where both have form tag. Although I believe the issue will still be the same. Thanks mikey I'll give it a shot. – Jeff Willener Oct 21 '11 at 17:08

0 Answers0