locked
Accessing ASP.NET MVC CORE 1.1 webapp from a webserver via cookies, please discuss. RRS feed

  • Question

  • User-79192692 posted

    Hello all,

    As part of an integrating an internal application on a public website only available via authentication we have the following scenario to consider:

    Physical structure:

    • The public website is hosted on the web;
    • The internal web application hosted internally on our network;
    • Router configuration allows for ssh encrypted tunneling between the public website and our network;
    • Router configuration via NAT and port forwarding allows the public website webserver to view only the port and only the address of the machine that hosts the webapp on our network;

    Software plattforms:

    • Internal software application ASP.NET CORE 1.1 MVC hosted on kestrel, and NGINX - featuring SSL certificate;
    • Public website ( legacy ) powered by joomla and php - featuring also SSL certificate;

    Software plan:

    1. After user authentication on public website the public webserver will login on the internal application ( cookie based ) by code ( not browser ) via post and will generate a page with an iframe authenticaded pointing to a view of the internal application for user interaction;
    2. The internal application will have an action for this particular login that allows only the role of the user of public website and allows only requests from the address of the machine hosting the public webserver;
    3. The view that will be part of the generated iframe also allows only the role of public website user and also filters the client address to allow this public website access only.

    Problems / questions so far:

    1. We have not been able to login from the public webserber to the local application ( asp.net core with cookie auth ) via code, can you explain the steps on how can this be done via HTTP?
    2. Is the use of an iframe on the public website page to access the view on the internal application a good idea or do you suggest another? ( note that the authentication to internal application is done prior to showing the view and user is not supposed intervene of that step )
    3. Can you comment / suggest with justification improvements to this scenario?

    Thank you very much in advance.

    Friday, March 10, 2017 11:42 AM

All replies