Last post Jan 03, 2014 01:41 AM by mukesh.joshi
Jan 02, 2014 01:09 AM|mukesh.joshi|LINK
I have an application having a form based authentication on a single server environment. We login on an external application which gives us link to access our current application. When we click on the link our existing application opens an authentication
is done using the "Ticket" key provided in the request
Following is the configuration:
with following configuration in the config file.
<forms name=".ABCD" loginUrl="Pages/LoginPage.aspx" timeout="1440" path="/" />
<authorization> <deny users="?" /> </authorization>
<machineKey validationKey="adsfasdfasdfasdf" decryptionKey="asdfadsfsdfaf" validation="SHA1" />
We are doing the user authentication code on the page load of the loginPage.aspx: the algo is as follows:
string tic = Request.QueryString.Get("ticket");
\\Validate the ticket data. If validated then redirect to the default page else show error.
Now as per the need there is a change in the authentication mechanism as the authentication will be done on a RPG server and through which then this application's default page will open. For this, we have made loginPage.apx as a restricted page and placed
it on the RPG server.
When the External application connect to the application, the redirection is done to the LoginPage.aspx (form authentication) . For authentication, we uses an specific value from Httpheader and after the successful authentication the redirection is done
to the default page located on the different server then RPG server.
As per my understanding, Following the redirection, the browser requests the LoginPage.aspx page again. This request includes the forms authentication cookie.
Now issue is, when authentication happens again, User.Identity.IsAuthenticated is not true (which should not be the case as it is already done), and then the existing code try to again fetch value from HTTP_Header which doesn't have the needed information
as we have moved from RPG server.
I think it's some configuration which I am missing, however I am not able to find any answer.
Thanks for your help.
Jan 03, 2014 12:53 AM|Michelle Ge - MSFT|LINK
According to your description, as we get the username and password, we will check them, if they are valid the server sends Set-Cookie header to the client. Client receives and stores it. For each request client sends cookies back to the server.
So far as I know, when you set the forms auth cookie indicating that they are logged in, if you check to see if they are authenticated on that same request, it will return false. But on the next request, it will return true.
The same time we should check if ticket has expired. If it has expired, HttpContext.User.Identity.IsAuthenticated method will return false.
There is a similar thread, please refer to the link below:
Hope it's useful for you.
Jan 03, 2014 01:41 AM|mukesh.joshi|LINK
Just to clarify more on the flow how we are accessing the application.
I have an external application which on a a server named as "LOGINSERVER" which has login page. I login on it and then I have links for several other applications.
Now I click on an application's link (mentioned in the first question), the click will have some HTTP_HEADER information on it which will be used for authenticaiton. the link is set for a second server which (lets assume the name is "RPGSERVER"), a routing
server which will then redirect to the actual server and StartPage.aspx is opened.
however as there is form authentication, it goes to loginPage.aspx which is not exactly a login page however on the page_load method of this page we authenticate the ticket using the above code.
\\Validate the ticket data. If validated then do the redirection.
Aboe code redirects again to StartPage.aspx, however becuase of formsAuthentication it comes to loginPage.aspx, however because it has a check if (!User.Identity.IsAuthenticated) on the top, authentication should not be done. But it returns as true so again
authentication starts. but because we came through an RPG server, we don't have HTTP_HEADER information with us now and authentication fails.
Just wish to know why after redirection User.Identity.IsAuthenticated is not correctly set. For your information if we do it through normal server redirections (no routing) it works fine and the values are correctly set at first time