I have two ASP.NET sites (they can not run in the same process) and I need to share authentication between them. If a user is in site A already authenticated and then goes to site B, I need to have a way to share this information with site B so the user is not asked to authenticate again. The same is true both ways. How do you share this information?
我有两个ASP.NET站点(它们不能在同一个进程中运行),我需要在它们之间共享身份验证。如果用户在站点A中已经过身份验证,然后转到站点B,我需要有一种方法与站点B共享此信息,因此不会要求用户再次进行身份验证。两种方式都是如此。你如何分享这些信息?
4 个解决方案
#1
Are they in the same domain?
他们在同一个域吗?
If you have app1.blah.com and app2.blah.com, it's very easy to do. Just set the domain and the name to the same value in the forms-section in web.config:
如果你有app1.blah.com和app2.blah.com,这很容易做到。只需将域名和名称设置为web.config中forms-section中的相同值:
<authentication mode="Forms">
<forms loginUrl="login.aspx"
name=".COOKIENAME"
protection="All"
path="/"
domain="blah.com"
timeout="30" />
</authentication>
An added benefit is that users can sign into either site and will still be authenticated if they go to the other one.
另一个好处是,用户可以登录任一站点,如果他们转到另一个站点,仍然会进行身份验证。
#2
Select one site to be the "master" which handles all the logins. We will call that one site A, and the non-login site B.
选择一个站点作为处理所有登录的“主站点”。我们称之为一个站点A和非登录站点B.
When a user uses the login form on A, it should set a cookie with some unique identifier, such as a GUID. As long as that cookie is valid, the user should stay logged in.
当用户在A上使用登录表单时,它应该设置一个带有一些唯一标识符的cookie,例如GUID。只要该cookie有效,用户就应该保持登录状态。
When a user goes to site B, site B should set a cookie with its own unique identifier (another GUID), then redirect to the login on site A, passing along the unique ID in the querystring: Response.Redirect("http://siteA.com/login.aspx?id=ABCDEF")
当用户访问站点B时,站点B应设置具有其自己的唯一标识符(另一个GUID)的cookie,然后重定向到站点A上的登录,传递查询字符串中的唯一ID:Response.Redirect(“http:/ /siteA.com/login.aspx?id=ABCDEF“)
When the user logs in on the form on A, we should update site B's database - maybe via web service - with the user ID and the unique ID which was passed along - essentially letting site B know "when a user with ABCDEF in their cookie hits your site, it is actually User387".
当用户登录A上的表单时,我们应该更新站点B的数据库 - 可能是通过Web服务 - 使用用户ID和传递的唯一ID - 基本上让站点B知道“当他们的cookie中有ABCDEF的用户点击你的网站,它实际上是User387“。
Then redirect back to site B. The cookie from earlier is still set, but site B now reads that cookie and finds a corresponding user ID, so it knows who the user is and allows access.
然后重定向回到站点B.前面的cookie仍然设置,但站点B现在读取该cookie并找到相应的用户ID,因此它知道用户是谁并允许访问。
When the user arrives on site A, if they have already logged in previously to site A, it will recognize their cookie, follow the same steps as above, and redirect immediately.
当用户到达站点A时,如果他们先前已经登录到站点A,它将识别他们的cookie,按照上述相同的步骤,并立即重定向。
This is a very simple version of what every single-sign-on service does. A user will only be sent to A's login page once, no matter where they start from (site A or site B).
这是每个单点登录服务所做的非常简单的版本。无论用户从哪里开始(网站A或网站B),用户都只会被发送到A的登录页面一次。
#3
If you are using Forms Authentication you can do this by setting the Machine Key.
如果您使用表单身份验证,则可以通过设置计算机密钥来执行此操作。
See: Forms Authentication Across Applications
请参阅:跨应用程序的表单身份验证
#4
Check out the Windows Communication Authentication Service. Won't quite handle single sign-on like you want, but it should at least let people login across the board with the same credentials.
查看Windows通信身份验证服务。不会像你想要的那样完全处理单点登录,但它至少应该让人们使用相同的凭据登录。
#1
Are they in the same domain?
他们在同一个域吗?
If you have app1.blah.com and app2.blah.com, it's very easy to do. Just set the domain and the name to the same value in the forms-section in web.config:
如果你有app1.blah.com和app2.blah.com,这很容易做到。只需将域名和名称设置为web.config中forms-section中的相同值:
<authentication mode="Forms">
<forms loginUrl="login.aspx"
name=".COOKIENAME"
protection="All"
path="/"
domain="blah.com"
timeout="30" />
</authentication>
An added benefit is that users can sign into either site and will still be authenticated if they go to the other one.
另一个好处是,用户可以登录任一站点,如果他们转到另一个站点,仍然会进行身份验证。
#2
Select one site to be the "master" which handles all the logins. We will call that one site A, and the non-login site B.
选择一个站点作为处理所有登录的“主站点”。我们称之为一个站点A和非登录站点B.
When a user uses the login form on A, it should set a cookie with some unique identifier, such as a GUID. As long as that cookie is valid, the user should stay logged in.
当用户在A上使用登录表单时,它应该设置一个带有一些唯一标识符的cookie,例如GUID。只要该cookie有效,用户就应该保持登录状态。
When a user goes to site B, site B should set a cookie with its own unique identifier (another GUID), then redirect to the login on site A, passing along the unique ID in the querystring: Response.Redirect("http://siteA.com/login.aspx?id=ABCDEF")
当用户访问站点B时,站点B应设置具有其自己的唯一标识符(另一个GUID)的cookie,然后重定向到站点A上的登录,传递查询字符串中的唯一ID:Response.Redirect(“http:/ /siteA.com/login.aspx?id=ABCDEF“)
When the user logs in on the form on A, we should update site B's database - maybe via web service - with the user ID and the unique ID which was passed along - essentially letting site B know "when a user with ABCDEF in their cookie hits your site, it is actually User387".
当用户登录A上的表单时,我们应该更新站点B的数据库 - 可能是通过Web服务 - 使用用户ID和传递的唯一ID - 基本上让站点B知道“当他们的cookie中有ABCDEF的用户点击你的网站,它实际上是User387“。
Then redirect back to site B. The cookie from earlier is still set, but site B now reads that cookie and finds a corresponding user ID, so it knows who the user is and allows access.
然后重定向回到站点B.前面的cookie仍然设置,但站点B现在读取该cookie并找到相应的用户ID,因此它知道用户是谁并允许访问。
When the user arrives on site A, if they have already logged in previously to site A, it will recognize their cookie, follow the same steps as above, and redirect immediately.
当用户到达站点A时,如果他们先前已经登录到站点A,它将识别他们的cookie,按照上述相同的步骤,并立即重定向。
This is a very simple version of what every single-sign-on service does. A user will only be sent to A's login page once, no matter where they start from (site A or site B).
这是每个单点登录服务所做的非常简单的版本。无论用户从哪里开始(网站A或网站B),用户都只会被发送到A的登录页面一次。
#3
If you are using Forms Authentication you can do this by setting the Machine Key.
如果您使用表单身份验证,则可以通过设置计算机密钥来执行此操作。
See: Forms Authentication Across Applications
请参阅:跨应用程序的表单身份验证
#4
Check out the Windows Communication Authentication Service. Won't quite handle single sign-on like you want, but it should at least let people login across the board with the same credentials.
查看Windows通信身份验证服务。不会像你想要的那样完全处理单点登录,但它至少应该让人们使用相同的凭据登录。