Is there a proper .NET solution for providing persistent server sessions over multiple domains?
i.e. If a user of the site logs in under www.site1.com, they will also then be logged in under www.site2.com
Security is an issue with the program we are working on...
Thanks!
Does it need to be in the session or are you looking for a single signon solution. If the latter take a look at something along the lines of ADFS
http://en.m.wikipedia.org/wiki/Active_Directory_Federation_Services?wasRedirected=true
You may want to start here instead of hacking into the ASPState database(possible, but I don't recommend it): http://www.codeproject.com/KB/session/sharedsession.aspx
Basically you set the AppDomain to be the same for both www.site1.com & www.site2.com using reflection.
You also may need to AppPath as well, we needed to, but our setup was slightly different than what you have. We added:
FieldInfo appDomainInfo = typeof(HttpRuntime).GetField("_appDomainId", BindingFlags.Instance | BindingFlags.NonPublic);
appDomainInfo.SetValue(theRuntime, "/LM/W3SVC/1/ROOT/A_Website_Name_Here");
The word 'session' can be a little confusing in ASP.NET.
If you are talking about security (authentication and authorization), you are probably looking for a Single Sign-On solution. In other words, when a user logs into one site they won't be prompted to log into another related site. Take a look at Windows Identity Foundation, OAuth, Jasig CAS. CAS is my preferred solution (I'm a developer on the .NET client), but the server is written in Java and you'll need some expertise with Java to get it configured the way you want.
In ASP.NET, Session state is a completely separate component from authentication and authorization (although it can depend on the result of the authentication step). If you are trying to share information between the 2 sites (i.e., shopping cart contents), you can either configure both domains to use the same database as a Session provider (google aspnet_regsql -ssadd) or you can just store the data in a database that is accessible by both.
For more info on why I emphasize the distinction, check this out: http://www.codeproject.com/KB/aspnet/ASPDOTNETPageLifecycle.aspx
Good luck.
Try using the canonical hostname URL Rewrite feature of the IIS 7.5 Url Rewrite 2 Module: Download
(This answer relies on both URL have hostheader entries for the same web application)
Related
In code, we're referencing "athirdpartydomain.com"
Page.Response.Redirect("www.athirdpartydomain.com");
However, the owners of "athirdpartydomain.com" have decided to change their domain. This will involved a fairly considerable amount of work for us eventually, and they're letting the domain go completely.
We will of course change it in time, but I'm wondering if there's a quicker way to do this. Like changing something on the server to make sure all requests to "athirdpartydomain.com" all go to "theirnewdomain.com"
Considering you're using .NET, I can imagine you're also using IIS and, so, you can do this using IIS Redirects. NB, this will only work if you're hosting www.athirdpartydomain.com and have access to the IIS on that server.
You can learn how to do this here: http://support.microsoft.com/kb/313074
In .net you can't do that, but yes you can do that using cpanel of that domain.
You have to open that domain with admin login.
and you have to set "a name" or "a point" to particular server where you wants to redirect to site when some one browse the site this will redirect to particular site without load of that site.
I'm in progress of optimizing a ASP.NET site by storing commonly used database objects in a cache and I'm wondering what are good tools to manage the cache?
I found http://aspalliance.com/cachemanager/ which seem pretty cool, but old? Also I have to install this in the webapp itself. I'd prefer an external tool? What else is out there?
(I also found Visual Studio 2005 add-in "Cache Visualizer" but download page http://blog.bretts.net is broken?)
Is there any way to access one webapps's Cache from other webapp running on the same server?
For example a typical object in my cache is the "type of user" (individual, company, student, etc.) that is pretty much static data. But once every year I might update this table and add a value. This is done in our admin app. Is there any way the admin app can access and invalidate "type of user" cache in the public app? (Without restarting the entire app).
I've looked at SqlCacheDependency but this won't work for us in this case.
The Cache is specific to an AppDomain so if you have more than one Web Application neither can access the other's Cache.
You might want to look into external cache arrangements such as Memcached, redis or perhaps even ASP.NET State Server.
You can still find the download for brett's visualizers using the internet wayback machine.
http://web.archive.org/web/20060512123557/http://blog.bretts.net/wp-content/uploads/2006/03/Johnson.Visualizers.zip
I am going to write up a webapp hosted on a windows 2003 server to allow me to connect to local and remote servers to do some basic things.
The webapp will be hosted on serverA. It will need to be able to copy files/folders from one folder to another on this server.
It will need to be able to connect to ServerB and copy files in the same way, e.g. copy \serverB\path\to\sourcefiles to \serverB\path\to\destinationfiles
ServerB hosts an installation of MSSQL 2008, I want to be able to create new database/login etc.
How do I go about this please? I've been reading a bit about Windows Authentication, Impersonation, Delegation but i don't know where to focus on.
thanks
S
To be honest there isn't really a one size fits all complete answer to your question, however there are a number of things that you need to take into consideration early in development to ensure that your platform is built on solid foundations.
From the description you have given the most critical consideration has to be security and everything you develop has to have this at its core. Judging by your post if the wrong person was to access your front end then they could wreak havoc.
As for the model to use, I would suggest Windows Authentication as this is built into the framework and gives you the ability to segregate into usergroups with differing levels of access. It will also open up some of the functionality you need, i.e. network copy of files etc
As for the database management aspect, this again can easily be done via Windows Authentication as you can grant (in SQL) windows users the ability to perform certain tasks, i.e. Create Database, Create Login, drop x, etc
All this said, it of course assumes that the two servers share user credentials, i.e. domain controller etc.
Another method, would be to use the web "interface" as a pass through onto a WCF service that operates under a specific user account that has the access you need. You would then seperately manage authentication/authorisation in a manner that you decide.
Like I said, no simple one size answer - but hopefully this will give you something to chew on.
If your goal is to create new databases or logins, why can't you use the create database and create login commands?
My company took some old php application over. Due to our preference to ASP.net and to the lack of any documentation from the previous developer, we do not want to spend much resources on developing in PHP.
For implementing new features, we will create an Asp.net application that has the same look to the user. We want to develop a kind of 'coexisting' web application. Therefore we must share sessions between an PHP and an Asp.net webapplication project, because there is a usermanagement involved with an existing MySQL database.
(e.g. link 'A' directs to the PHP website, and link 'B' directs to the asp.net application)
How can we share the session between and PHP and an asp.net application?
And does anyone have a hint for this 'coexisting' thing, that might be useful in development?
Edit: IIS 6 would be our targeted server, altough IIS 7.5 would also be an option
I want to tell you, how I ended up doing it.
Both applications access a MySQL database and access a "session" table, which consists of a Guid, the ID of the user, and a confirmationString (I guess I encoded the IDUser in it, somehow) and a date.
Sessions are only started by the PHP application (due to the fact, that the PHP application is still the main application). A new session will result in a new entry in the log table. Every link in the PHP application, that links to the ASP.Net application contains GET-Parameters, containing the Guid etc.
The ASP.net application checks for the GET-Parameters and sets the IDUser in the ASP.Net Session, if the GET-Parameters point to an existing session.
The links pointing back to the PHP application use the same technique.
(There are also other things to consider, like timeouts or logouts, but that can be handled as well)
All in all, I'd say that my approach is useful and none of the customers complained since the deployment (over 1 year ago)
I don't think it's natively possible to share sessions between PHP and ASP.NET.
However, it might be possible by using a PHP page that reads the contents of the session, stores them in hidden fields and then call an ASP.NET page that would read these fields and load them into ASP.NET session.
Theoretically it's possible.
This is an old question, but I didn't think any of the current answers were complete.
First, I think it is a bad idea to store session data in a database server like mysql or SQL Server. The DB is a precious resource, and there's really no reason to thrash it just for session data.
If you are going to store session in a database like that, there are "better" ways of doing it, like making sure that the session data is on it's own independent disk, etc... but honestly, I still feel like it's a mistake and will limit your scalability.
For storing session, you want to go with a simple key/value store, and in my opinion you can't beat memcached (though I've also had good luck with redis + nodejs).
memcached has clients available for pretty much every language on earth: http://code.google.com/p/memcached/wiki/Clients
So, basically all you need to do when using memcached is generate a pseudo-random token for the key, and do a memcached.set. Then store that key in a cookie called session-id or something.
The session-id cookie can be read from any server language, .net, php, python, whatever - and the session value retrieved with a simple memcached.get.
Check out the memcached docs: http://code.google.com/p/memcached/wiki/NewStart
This is a very simple and scalable way to do sessions, and will work with almost any language/server.
http://cz.php.net/manual/en/function.session-set-save-handler.php
http://support.microsoft.com/kb/317604
You can write PHP's sessions into MsSQL, and configure .NET to use MsSQL as backend for sessions.
Not a big deal.
Your asp app should do a three simple things:
Recieve a sessionid cookie from the client
look for the sess_<id> file in the PHP session save path
implement a PHP serialize/unserialize functions to read/write session data.
A nicer way than just hacking into session storage mechanisms on both sides would be setting up OpenId provider and plugging OpenId consumers to both asp.net and php applications.
There's lot of existing code to do it. It would be both more elegant and error prone than the low level solutions. As a bonus you could use integrated OpenId login in the rest of your company applications and become a company hero.
See: Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
Oh dear, maybe one day you'll see the error of your ways, in the meantime.....
By default, PHP writes its session data as a serialized array into a file named according to the session. The session is identified usually by a cookie with name PHPSESSID.
So in PHP to manually read the session:
$imported_session=unserialize(file_get_contents(session_save_path() . '/' . $_COOKIE[session_name()]));
The format of the file is very straightforward and simple to parse.
However its quite easy to implement your own PHP session handler to write the files in any format/to any storage you like (have a look at auto-prepend for how to associate the revosed code with every page without having to rewrite each one). Or change the name the cookie used to store the session.
C.
I am building a solution for a small business without any in house IT staff.
The central datastore is SQL SERVER (express2008)
I would like to leverage SQLs built in security (certain views for certain classes of employees).
However the boss (the one who needs the control to say who sees what and who can edit) is overwhelmed by Management Studio.
No I know that in just 16-20 hours I could put together a nice interface that uses SQL to manage the users.
It just seems silly for me to reinvent the wheel for what seams like it must be a common problem and must have been solved many times before. but searching on the web has not turned anything up.
I would rather something that I could package with my app (WPF/C#/Linq2Sql)
but if it was stand alone it would also be great as long as it was dummy proof.
While I am on the topic.
How do users usually change their sql passwords (when you are forced to used mixed authentication)?
Thanks
From Scott Guthrie's weblog:
If you haven’t watched this great online video yet you absolutely should. It walks through how to add Forms Authentication (using the <asp:login> control) with a secure Membership Credential Store + Role Based Security to a site, then implement pages that enable Registration (using the <asp:createuserwizard> control) + Change Password (using the <asp:changepassword> control) + Reset Password (using the <asp:recoverypassword> control), and then authorize page access and hide menu navigation links using the role groupings of the authenticated user. The video shows how to-do all of this from scratch in only 17 minutes. You can watch it here. You can also find other great ASP.NET “how to” videos here.
Easiest way to implement this kind of functionality, in my opinion, assuming you're building an ASP.NET front-end.
Edit:
Even though you're delivering a desktop app, I'd still build a web app, stick it on their intranet and then there's one place to go for user account stuff. It's just too easy.
Edit Again:
Look into the stored procedures that are called from the <asp:changepassword> and the <asp:createuserwizard> controls and replicate them from in your admin section.
The answer you're looking for:
Again, Scott Guthrie comes to the rescue:
Peter Kellner has a good article on the new ASP.NET 2.0 Membership and Roles Features, and then put together a very useful sample that demonstrates how to implement a set of admin data-pages on top of the ASP.NET 2.0 Membership and Role Management system to allow you to remotely administer your users and roles. His sample is available to download in source format -- so you can integrate it within your applications to provide a remote management experience for users/roles that works well in a hosting environment.
Update: Check out Juval's article and sample code on how to accomplish the same thing using a Windows Forms front-end and web-services. Very slick!
Updated: Juval has updated his code again to support three options:
1) The version mentioned in the magazine
2) A WCF (Indigo) version hosted in IIS
3) A WCF (Indigo) version with a custom server host in case IIS isn't an option
You can download all three versions here: http://www.idesign.net/idesign/temp/CredentialsManager.zip
Hope this helps,
Scott