supporting multiple authentication methods

  • Thread starter Thread starter bb
  • Start date Start date
B

bb

i have a requirement to support forms and windows integrated
authentication, for an application.

i was going to use two nested web configs with differnet authentication
modes, which both end up assigning you a forms ticket (upon correct
login) and redircting you into the main app

however i understand you cannot have mixed authentication types for one
application.

instead im about to have two separate web apps, one windows one forms.
the windows one (on successful login) server.transfers you to the other
application (after setting some information in the context) the other
app then receives this instruction and sets your forms ticket.

this seems like my best solution, but is this really the way i should be
tackling this problem?

db
 
seems ok, other than you can not server transfer between apps, you must use
a redirect.

-- bruce (sqlwork.com)
 
bb wrote:

hmm i was banking on server.transfer working (i did think i had tested it)

the reason i was assuming i would require a server.transfer, is that i
wanted to put some information in the Context. which when received by
the page in the Forms Auth application knows that the call to the page
must have occured from the server, (not frigged by a user). I understood
i cannot do this from a redirect?

if i use a redirect, will i not need to use some other method of
ensuring the request is absolutely valid? like using a database table to
store some kind of guid for the authenticated user, and testing it in
the forms page? i just was hoping to avoid having to do something like that.

db
 
the article i find is quite naive, however its basic priniciple of using
a trusted third party (i.e. the database) to store confirmation of a
users authenticitity is the approach i think i will have to take.

i found that i could do a server transfer between applications and i
could even exchange data from the context between pages from different
applications, however the page i had been transferred to seemed to run
under the context of the previous application. therefore setting a forms
ticket in the new page associated it with the previous application, thus
not really working.

the solution started to feel more and more like a hack. therefore i
think i will just use the database to store the fact a user has been
authenticated by app1, pass the user from app1 to app2 and then read out
the authentication ticket from the database to ensure its not a tampered
request.

db
 
Back
Top