Sharing back-office authenticated user session in a sub-domain (MVC 3 application) - Umbraco 4.0.1
Hi all,
The scenario I have is quite simple to understand, but implementing the desired functionality is proving to be a nightmare.
We have the main installation of Umbraco CMS (version 4.0.1) at our first domain (e.g. one.domain.com), where back office users can log in an administrate at the one.domain.com/umbraco/ directory without any issues. Our client now wants the back office to be extended by loading an MVC 3 application (hosted at two.domain.com) within an iframe when they click on a node from the navigation tree. The node has been added and the MVC application loads within the iframe as we want, however, there is currently no restrictions in place to prevent users who aren't authenticated from accessing this page.
How can I share the back-office authentication across these two sub-domains? I've implemented the UsersMembershipProvider, set the same machine key across applications and copied the Umbraco config files across to the MVC project without any luck. I've never been great with Memberships anyway and was hoping somebody else could shed some light.
Unfortunately I struggled to get a decent implementation in place. I ended up manually creating a shared user context stored in a cookie by adding the login name and a hashed version of the login name (using a hash only known between the two domains - as the sites were internal to the company security wasn't the highest priority). The cookie's domain is then set to the broader domain.com rather than to any specific sub-domain to make it accessible site-wide.
The secondary domain then retrieves the shared cookie from the request object and attempts to authorise the user by comparing the login name and the hashed login name using the same algorithm. This is done by creating a custom AuthorizeAttribute and overriding the AuthorizeCore() method to add your own authorisation (in my case the hash comparison). You can then use the OnAuthorisation method to peform any additional re-directs etc.
Create the shared cookie using a custom-built hashing alogrith known between both domains in one.domain.com
I know this is by no means the most elegant or secure solution, but it seems to work for my intended purpose. I hope this sparks some ideas or possibly works for your own scenario.
Sharing back-office authenticated user session in a sub-domain (MVC 3 application) - Umbraco 4.0.1
Hi all,
The scenario I have is quite simple to understand, but implementing the desired functionality is proving to be a nightmare.
We have the main installation of Umbraco CMS (version 4.0.1) at our first domain (e.g. one.domain.com), where back office users can log in an administrate at the one.domain.com/umbraco/ directory without any issues. Our client now wants the back office to be extended by loading an MVC 3 application (hosted at two.domain.com) within an iframe when they click on a node from the navigation tree. The node has been added and the MVC application loads within the iframe as we want, however, there is currently no restrictions in place to prevent users who aren't authenticated from accessing this page.
How can I share the back-office authentication across these two sub-domains? I've implemented the UsersMembershipProvider, set the same machine key across applications and copied the Umbraco config files across to the MVC project without any luck. I've never been great with Memberships anyway and was hoping somebody else could shed some light.
Regards,
Mike
Mike
Did you ever fix this, looking for same solution also.
Cheers Paul
Hi Paul,
Unfortunately I struggled to get a decent implementation in place. I ended up manually creating a shared user context stored in a cookie by adding the login name and a hashed version of the login name (using a hash only known between the two domains - as the sites were internal to the company security wasn't the highest priority). The cookie's domain is then set to the broader domain.com rather than to any specific sub-domain to make it accessible site-wide.
The secondary domain then retrieves the shared cookie from the request object and attempts to authorise the user by comparing the login name and the hashed login name using the same algorithm. This is done by creating a custom AuthorizeAttribute and overriding the AuthorizeCore() method to add your own authorisation (in my case the hash comparison). You can then use the OnAuthorisation method to peform any additional re-directs etc.
Create the shared cookie using a custom-built hashing alogrith known between both domains in one.domain.com
Implement a custom AuthorizeAattribute in two.domain.com
I know this is by no means the most elegant or secure solution, but it seems to work for my intended purpose. I hope this sparks some ideas or possibly works for your own scenario.
Thanks,
Mike
is working on a reply...