locked
Creating a cookie in a Web service to avoid authentication RRS feed

  • Question

  • User1955562351 posted

    I have a PHP Web site which makes a Soap call to a .NET web service that runs on the same server as a .NET based web app which in addition to functioning as a Web app by itself also provides some information from its database to the the PHP site. The PHP/Wordpress site is an information portal + a bunch of static PDF documents on a landing page that lives behind a login and it is hosted on a different server to the .NET web app. A typical user authenticates using a login form on the PHP site, which then makes a Web service call(the Web method is given below) to the server that hosts the .NET app and the web service. Based on the result of the Web service call the user is granted access to the landing page that contain links to the static documents. Here is where the tricky part is. In addition to links to the static docs, the page also has a link to the Web app which authenticates the user. Long story short, the authentication for both the landing page and the Web app is done against the database that is used by the Web app. So I want to have a feature that when a user authenticates himself at the PHP site to view the PDFs and then clicks on the link to the .NET web app he should not have to re authenticate himself on this server to get into this site.

    Here is the code fragment that authenticates a user.

    public string Login(string username, string password)
    {
        LoginUser user = LoginUserRepository.GetUserByUsername(username);
        if (user.Password.Equals(password))
        {
            return "success"+" "+user.Role; 
        } 
        else
        {
            return "Wrong Password";
        } 
    }

    The php file that calls this Web service then creates a session for the user for the PHP site. In the above code fragment, is there a way to create a cookie so that the user does not have to authenticate himself again to visit the pages within the .NET web app

    Tuesday, November 12, 2013 9:03 AM

Answers

  • User-488622176 posted

    Now I get it, you want to create an authentication service. These systems use claims based authentication principles. This means : you do the login once, and get a token claiming your identity & authentication request. This ticket gets passed to other applications/systems that will validate the ticket everytime you access the application/system. 

    You could consider CAS (http://www.jasig.org/cas). Or you can use OAuth (http://oauth.net/)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 12, 2013 10:54 AM
  • User-488622176 posted

    You'll need to read the CAS documentation, it's been a while since I used it. CAS works with authentication tickets that are granted after login. These tickets can be verified agains the CAS server at any time to validate their integrity. Your app A can get the ticket, and keep it in session. If the user redirects to app B, you should pass the ticket to B (using for example http headers. B has a login page (for native authentication, the same as you did in app A) and a way to verify if a ticket was passed. B should validate this ticket. If it is valid, keep it in session and consider the user authenticated.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 14, 2013 3:25 AM

All replies

  • User-488622176 posted

    Why would you want to do this?  Do you need security on the WCF service? If you block access to this service from remote locations, you could consider dropping security in the service.

    Tuesday, November 12, 2013 9:28 AM
  • User1955562351 posted

    No. Not for security on the service. Basically what I want to do is sign in once and access different domains for which the sign on is applicable. Since the PHP site in my case calls the Web service I would like to explore on the possibility of setting a cookie on the Web service for the other app so that user does not have to login again. To give you an example... Say you are a facebook user and that you are logged in to your account. This means if you sign in to a Web site www.example.com that allows visitors with a valid facebook login you are automatically granted access to the site every time you are logged into facebook. I want to achieve something similar. If the user is authenticated to use the PHP site, he must be authenticated to use the .NET site. And the only common region between the two Web sites is the Web service, so I am thinking when authenticating the user for the PHP site if I create a cookie for the .NET app and return the response will the user be authenticated in both the domains?

    Tuesday, November 12, 2013 9:36 AM
  • User-488622176 posted

    Now I get it, you want to create an authentication service. These systems use claims based authentication principles. This means : you do the login once, and get a token claiming your identity & authentication request. This ticket gets passed to other applications/systems that will validate the ticket everytime you access the application/system. 

    You could consider CAS (http://www.jasig.org/cas). Or you can use OAuth (http://oauth.net/)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 12, 2013 10:54 AM
  • User1955562351 posted

    Thanks a lot. CAS seems to be more relevant to what I want. But I am not sure where it exactly fits between my applications. So let me break it down into distinct steps please let me know if I am right?

    1) User visits www.<myphpsite>.com/login

    2) He supplies the username and password and clicks on the login button.

    3) A web service call is then made to the .NET web method hosted in the same server as my .NET application www.<myDotNetApp>.com

    4) The Web service uses the database to authenticate the user.

    5) Somewhere here CAS has to fit in and has to ensure that I am authenticated for both  www.<myphpsite>.com and www.<myDotNetApp>.com. In addition to doing this it has to set some session variables for the www.<myDotNetApp>.com site for the user to be able to view the different pages in the site.

    6) Then the Web method has to redirect the user to the landing page in the www.<myphpsite>.com.

    7) Now if the user clicks the link to www.<myDotNetApp>.com from  www.<myphpsite>.com he must be taken to his profile page in www.<myDotNetApp>.com because he is already authenticated.

    Now, is it possible to create Session variables when authenticating using CAS? 

    Tuesday, November 12, 2013 12:51 PM
  • User-488622176 posted

    You'll need to read the CAS documentation, it's been a while since I used it. CAS works with authentication tickets that are granted after login. These tickets can be verified agains the CAS server at any time to validate their integrity. Your app A can get the ticket, and keep it in session. If the user redirects to app B, you should pass the ticket to B (using for example http headers. B has a login page (for native authentication, the same as you did in app A) and a way to verify if a ticket was passed. B should validate this ticket. If it is valid, keep it in session and consider the user authenticated.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 14, 2013 3:25 AM