response.redirect from one asp.net web app to another

Question

I have a VS 2011 solution file with two projects, each is a project file for a web app. One is an older version of the application and the other is a newer version. When a user signs in to the older version, depending on their membership, they might be redirected to the new version. When they do land on the new website, they should not have to go through authentication, instead go directly to their page within the app.

To handle this, I am using response.redirect from the older application along with a querystring indicating that the user has been authenticated.

code in older version:

Response.Redirect(sURL + "?Auth=" + sAuth, false);

I am checking for the querystring on the page_load event of the login.aspx.cs of the new app (something like "if querystring authentication = true then continue to next page"). However, I still get the login page.

Code on page_load event of new app:

if (Page.IsCrossPagePostBack)
{
    string sAuthenticate = Request.QueryString.Get("Auth").ToString();
            if (sAuthenticate == "1")
            {
                ByPassAuthentication();
            }
}

How can I bypass the login page?

First off, a query string isn't a secure authentication token. Are you using the build in FormsAuthentication feature? Or are you using entirely custom authentication? — MatthewMartin, Jan 05 '12 at 21:13
So if I simply type the second app url and use the query string "Auth=1" I can access the site...Why use authentication then? — Chandu, Jan 05 '12 at 21:15

score 3 · Answer 1 · answered Jan 05 '12 at 21:16

Assuming that this is a FormsAuthentication site, ASP.Net will automatically return the user to the login page is they have not been logged into FormsAuthentication.

So you will have to, at the very least, pass the user's login name as well.

Since you are passing this on the querystring, you will have to be very careful to ensure that only your response.redirect is processed as a valid request. You don't want any user to be able to login by figuring out what the query string parameter is and logging in as the CEO of the company.

We do this by encrypting a combination of the user name and the current time, then on the receiving end, we decrypt and compare the timestamp. If it is outside the tolerance (say 2 minutes), we deny the login request.

score 1 · Answer 2 · edited May 23 '17 at 11:48

1

Maybe single sign on will help you, check out my question and answer here.

Single Sign On

edited May 23 '17 at 11:48

Community

1
1

answered Jan 05 '12 at 21:20

jim

26,598
13
51
66

score 1 · Accepted Answer · edited May 23 '17 at 12:03

1

You can debug this by right clicking on your solution, click Properties, then start your two projects. Have a look here Running two projects at once in Visual Studio. Of course put a break point on both projects

edited May 23 '17 at 12:03

Community

1
1

answered Feb 02 '12 at 04:31

Troy

1,659
4
19
33

score 0 · Answer 4 · answered Jan 05 '12 at 21:13

0

You could try checking the "IsCrossPagePostBack" property on the new page.. then you'd know if the post back was a redirection.

answered Jan 05 '12 at 21:13

vlad-ardelean

7,480
15
80
124

I tried using this property on the page_load of the newer version, but no luck... the page continues to display the login screen – user1111955 Jan 05 '12 at 21:30

score 0 · Answer 5 · answered Jan 05 '12 at 21:20

You need to authenticate the user once you've entered the 'new' site. Assuming your using .NET Forms authentication, you're probably setting an Authentication cookie with code like this,

FormsAuthentication.SetAuthCookie(userLogin, true);

When you do this, it creates a cookie for the user that is used for subsequent requests to the site it was created. In your case, the 'Old' site. So, you either need to create a new auth cookie, or share the auth cookies, which has a few nuances and can be troublesome.

response.redirect from one asp.net web app to another

5 Answers5