Dual forms authentication in asp.net 2.0 - 4.0

578 views Asked by At

BACKGROUND

I have two websites under the same domain. One website encapsulates Login/Account Management functions only and the other website is the real website.

  • LoginWeb - only Login Page/css/images/javascript folder allow anonymous access
  • AdminWebsite - completely locked down via forms auth. i.e not even javascript/images/css folders have <authorization><allow users=*>


WHAT I AM TRYING TO ACHIEVE
This is the workflow I am trying to achieve and have accomplished 99% of it :

  1. If the user hits any page on AdminWebsite he is sent back to LoginWeb by FormsAuthentication
  2. User supplies credentials in the loginpage and LoginWeb website issues a forms auth ticket. User is still not logged into AdminWebSite yet. (This way user can go to changepassword page etc and do account management functions)
  3. User goes to two more steps in LoginWeb and now can be issued the FormsAuth ticket for AdminWebsite and redirected to it.

99% IS ALREADY WORKING
This is the code in LoginWeb which tries to issue the FormsAuth ticket for AdminWeb, but it is not working. i.e AdminWeb is still redirecting me back to Login. I am sure there is something very trivial I am missing but I can't figure out what exactly it is?????????

public void SetAuthenticationTicket(string username)
{
    MachineKeySection sec=(MachineKeySection)WebConfigurationManager.OpenWebConfiguration("").SectionGroups["system.web"].Sections["machineKey"]; 
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
        username,
        DateTime.Now,
        DateTime.Now.AddMinutes(30),
        false, //true or false
        sec.DecryptionKey, //Custom data like your webkey can go here
        FormsAuthentication.FormsCookiePath);

    var encryptedTicket = FormsAuthentication.Encrypt(ticket);
    var cookie = new HttpCookie("ADMINWEB", encryptedTicket)
    {
        Path = FormsAuthentication.FormsCookiePath,
        Domain = "xxx.com"
    };
    Response.AppendCookie(cookie);
}

These are my web.config sections for Forms Auth:
LoginWeb

  <machineKey validationKey="XXXXXX" decryptionKey="XXX" validation="SHA1"/>
  <authentication mode="Forms">
    <forms name="LoginWeb"
            domain="xxx.com"
            loginUrl="~/account/Logon"
            timeout="1440"
            cookieless="UseCookies"
            slidingExpiration="false"
            protection="All"
            path="/"/>
  </authentication>


AdminWebSite

   <machineKey validationKey="XXXXXX" decryptionKey="XXX" validation="SHA1"/>
  <authentication mode="Forms">
    <forms name="ADMINWEB"
            domain="xxx.com"
            loginUrl="http://loginweb/account/Logon"
            timeout="1440"
            cookieless="UseCookies"
            slidingExpiration="false"
            protection="All"
            path="/"/>
</authentication>
<authorization>
    <deny users="?"/>
</authorization>
1

There are 1 answers

2
Turnkey On

This site, Forms Authentication Across Applications, implies that the Name on the forms attribute should be the same.