Re: Forms Authentication problem with WebRequest
- From: Jesse Houwing <jesse.houwing@xxxxxxxxxxxxxxxx>
- Date: Wed, 6 Feb 2008 00:10:47 +0000 (UTC)
Hello Harry,
I am using the System.Net.WebRequest class to hit a URL from within my
web application and stream out the html returned. I am using forms
authentication, and instead of getting the page I have requested, I am
getting my login screen. I assume the solution to this problem lies
in the Credentials property of WebRequest, but I am not sure what I
need to set it to. I am calling this from a page that is already
authenticated, so if I can just get the creditials from the current
page, that should do it, right?
This probably won't work
I'll try to explain why.
The normal request will go like this:
user <-> webserver
1 user: requests page.aspx 2 webserver: looks for valid cookie and redirects user to login.aspx
3 user: request login.aspx
4 webserver: server transfers login page to user
5 user: submits login.aspx
6 webserver: handles login, redirects to page.aspx, passes a cookie or url variable
7 user: reqests page.aspx and sends cookie back to server
8 webserver: server validates cookie and transfers content of page.aspx
Now in your scenario the server does a request to itself from page.aspx. Let's consider that the user already authenticated himself, so we can skip all the way to step 7
user <-> webserver <-> webserver
7 user: reqests page.aspx and sends cookie back to server
8 webserver: server validates cookie
9 webserver: requests page.aspx from itself
10 webserver: looks for a valid cookie, finds none and redirects itself to login.aspx
You might think it would be easy to fix this by authenticating (like you're trying to do) or by sending the cookie along, but:
- authenticating has nothing to do with this scenario, but with server authentication (integrated security). Forms authentication is actually just not authenticated by the server, but by the application.
- sending the cookie along might do the trick, but I believe that the cookie contains information about the originator (like IP address) and that the cookie won't match the IP of the sever (which of course differs from the user's IP).
To solve this there are a few easy solutions:
1) use a usercontrol instead of a second page include that on the original page.
2) place the second page in a seperate folder only accessible from IP 127.0.0.1, that prevents anyone else accessing it except apps on that server. You can then exclude this folder from forms authentication in the web.config
3) response.redirect the user to the second page, or use server.transfer to preserve the original url.
4) use an iframe or a normal frame to include the contents of the second page within the first one.
--
Jesse Houwing
jesse.houwing at sogeti.nl
.
- Prev by Date: Re: Message Resource DLL C# integration
- Next by Date: .NET Mass Downloader Released Grab Your Copy
- Previous by thread: Re: Message Resource DLL C# integration
- Next by thread: .NET Mass Downloader Released Grab Your Copy
- Index(es):
Relevant Pages
|
