umbraco Forum » Extending umbraco » Extending umbraco » cross site authentication

cross site authentication Options
Previous Topic · Next Topic
umbracorox
Posted: Monday, February 25, 2008 10:13:14 AM
Rank: Newbie

Joined: 2/24/2008
Posts: 6
Hello guys,

I am enjoying extending the capabilites of umbraco with my custom app and believe I have reached an interesing stage.

What I would like to do is pass authentication credentials across umbraco and my custom app - my custom app is using windows forms authentication.

Now what are your thoughts on achieving this?

Create and install a custom usercontrol on umbraco that resides on all umbraco content pages where I need authentication credentials, then allow for authorization and personalisation of umbraco pages? Any examples and references would be greatly appreciated.

My thoughts would be, if possible for the usercontrol to retrieve the authentication cookie and from then we can get anything and everything we want and perform the desired business logic on umbraco pages.

Architectually umbraco has been integrated into the app as a content provider - so if I could now get a seemless transition between the two that would be sweet.

thank you again for your great assistance
Back to top
 
umbracorox
Posted: Monday, February 25, 2008 10:25:20 AM
Rank: Newbie

Joined: 2/24/2008
Posts: 6
I should add that this implementation will be across the same root level domain name.

I.e www.mydomain.com is my custom app and umbraco would be umbraco.mydomain.com
Back to top
 
umbracorox
Posted: Monday, February 25, 2008 2:22:08 PM
Rank: Newbie

Joined: 2/24/2008
Posts: 6
What do you think to a solution to something like this;
http://aspalliance.com/1513_Cross_Site_Authentication_and_Data_Transfer.all#Page3

my custom app encrypts a ticket with various parameters userid, expiry date ect... passes it in the querystring thru https to umbraco.

umbraco user control decrypts the querystring (known key) and makes invocation to the database and authenticates the user and gets any data that is required.


the expiry date will be a short time, the encryption key will be private

to gain access to umbraco user details (whatever is retrieved from the usercontrol) - a hacker would need to steal the encrypted querystring within expiry time (this is encrypted over ssl) - or steal our private key, know a users userid and any other information we encrypt in the querystring to gain access to umbraco pages and other user details that are displayed on the umbraco pages - this can also then create its own authentication ticket.

is this an acceptable secure solution?

in what situation would you not use this? and why not? given this information and implementation could you easily steal data?
Back to top
 
drobar
Posted: Monday, February 25, 2008 2:45:35 PM

Rank: Umbracoholic

Joined: 9/8/2006
Posts: 1,410
Location: KY, USA
Here's an interesting discussion by a couple fellows who have approached the question of integration with external data in two different ways. What you'll see is that they each architected a solution that was best for their specific needs... that's the beauty of umbraco... no arbitrary constraints!

http://forum.umbraco.org/19811

cheers,
doug.


MVP 2007-2009 - Official Umbraco Trainer for North America - Percipient Studios
Back to top
 
Users browsing this topic
Guest

umbraco Forum » Extending umbraco » Extending umbraco » cross site authentication


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.