Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Adriano Fabri 379 posts 1276 karma points
    19 days ago
    Adriano Fabri
    0

    Umbraco 8 - How to create a login form that validate members in a second website?

    Hi, I have two different umbraco 8 installations.

    In site1 I have a login form but the validation process must be done in the site2.

    If member will be authenticated, the process will redirect member to the site2 homepage.

    I don't know if it is the correct way, but for now in site1 I tried to write the form as this:

    <form action="http://site2.domain.com/login" class="form-pagelogin" domain=".domain.com" enctype="multipart/form-data" id="login" method="post">
         @Html.AntiForgeryToken()
         <div class="mb-3">
                @Html.TextBoxFor(m => m.Username, new { placeholder = "UserName", @class = "form-control" })
         </div>
         <div class="mb-3">
                @Html.PasswordFor(m => m.Password, new { placeholder = "Password", @class = "form-control" })
         </div>
         <div class="d-grid gap-2 col-6 mx-auto">
             <button name="login" type="submit" class="btn btn-primary">Login</button>
         </div>
    </form>
    

    In site2 login page I have this code:

            @using (Html.BeginUmbracoForm("SubmitLogin", "Login", System.Web.Mvc.FormMethod.Post, new { id = "login", @class = "form-pagelogin", @domain = ".obg-irccs.rm.it" }))
            {
                @Html.AntiForgeryToken()
    
                <div class="mb-3">
    
                    @Html.TextBoxFor(m => m.Username, new { placeholder = "Nome utente", @class = "form-control" })
                </div>
                <div class="mb-3">
    
                    @Html.PasswordFor(m => m.Password, new { placeholder = "Password", @class = "form-control" })
                </div>
    
                @Html.ValidationSummary()
                <div class="d-grid gap-2 col-6 mx-auto">
                    <button name="login" type="submit" class="btn btn-primary">Accedi</button>
                </div>
            }
    

    Both sites have the same machinekey in the web.config but this don't work.

    <machineKey decryptionKey="xxxxxxxxxxxxxxxx" validation="HMACSHA256" validationKey="xxxxxxxxxxxxxxxxx" />
    

    What's wrong?

    Can anyone help me?

    Thank you in advance A.

  • Huw Reddick 298 posts 944 karma points
    19 days ago
    Huw Reddick
    0

    The action on your site 1 form should call your controller method

    Which I think from you code would be /login/submitlogin rather than just /login and don't even attempt this using http it should at least be Https otherwise you are passing credentials in plain text across the net

  • Adriano Fabri 379 posts 1276 karma points
    18 days ago
    Adriano Fabri
    0

    Thank you for the answer. The controller on site2 is a surface controller...so, if I understand what you mean, the action of the form on site1 should be:

    http://www.site2.com/umbraco/surface/customlogin/submitlogin

    I'll try in next days Thanks A.

  • Adriano Fabri 379 posts 1276 karma points
    17 days ago
    Adriano Fabri
    0

    Ok I tried, but I received this error on site2:

    Server Error in '/' Application.
    The required anti-forgery cookie "__RequestVerificationToken" is not present.
    Description: An unhandled exception occurred during the execution of 
    the current web request. Please review the stack trace for more 
    information about the error and where it originated in the code.
    
    Exception Details: System.Web.Mvc.HttpAntiForgeryException: The 
    required anti-forgery cookie "__RequestVerificationToken" is not present.
    
    Source Error:
    
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
    

    Very strange because I put the code @Html.AntiForgeryToken() under the form tag.

    A.

  • Huw Reddick 298 posts 944 karma points
    17 days ago
    Huw Reddick
    0

    It says cookie which obviously can't be valid on another domain so you will probably need to not use one if they are cookies, they are used to prevent exactly what you are attempting :)

  • Huw Reddick 298 posts 944 karma points
    17 days ago
    Huw Reddick
    0

    To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens. ... When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data

  • Adriano Fabri 379 posts 1276 karma points
    15 days ago
    Adriano Fabri
    0

    That's ok...it's right, but how can I solve it? :-o

    I must change the form on site1 or I must change something (but don't understand what) on site2, where is my authentication process?

    Sorry Huw...I understand these are questions that may be obvious (and I feel like a rookie right now!!!), but i don't understand the correct way to solve the problem :-s

  • Huw Reddick 298 posts 944 karma points
    15 days ago
    Huw Reddick
    100

    possibly both :)

    1. remove this @Html.AntiForgeryToken() from the form in site 1
    2. If you have this [ValidateAntiForgeryToken()] on your controller action in site 2 then you need to remove that as well.

    You should then be able to post from site 1 to site 2, I would however suggest adding some sort of check in your site 2 controller to ensure that the request came from site 1 otherwise anyone would be able to create a form and post to your controller method.

  • Adriano Fabri 379 posts 1276 karma points
    15 days ago
    Adriano Fabri
    0

    Thank you very much...I'll try ;-)

  • Adriano Fabri 379 posts 1276 karma points
    1 week ago
    Adriano Fabri
    0

    Hi Huw, this is a never ending story!!!

    I tried to change code following your indications, but now I receive the attached error.

    UmbracoPageResultError

    In details, after correct login I would redirect the user to the homepage of site2.

    So...in surface controller I tried the following code (included the commented code), but I always receive the above error:

    //return Redirect(homeNode.Url);
    //return Redirect("http://intranet.xxx.xxx/");
    //return View("~/Views/HomeIntranet.cshtml", model);
    //return RedirectToAction("Home");
    //return RedirectToUmbracoPage(homeNode.Id);
    
    //RedirectToUmbracoPageResult RTUPRresult = new RedirectToUmbracoPageResult(homeNode.Id);
    // return RTUPRresult;
    
     UmbracoPageResult UPRresut = new UmbracoPageResult(ProfilingLogger);
     return UPRresut;
    

    Any suggest?

  • Huw Reddick 298 posts 944 karma points
    1 week ago
    Huw Reddick
    1

    your best bet is probably to use an ajax form in site 1 and return json from site 2 action which contains the url and then in the onsuccess of the ajax form you can use the returned json to redirect to the page you need.

  • Adriano Fabri 379 posts 1276 karma points
    1 week ago
    Adriano Fabri
    0

    Nope...I found the problem

    As you correctly suggested me, I put the check on the source request to prevent attacks, but I wrote it wrong.

    Now it works.

    Thank you very much for your help ;-)

  • Huw Reddick 298 posts 944 karma points
    1 week ago
    Huw Reddick
    0

    no problem, glad it worked out.

Please Sign in or register to post replies

Write your reply to:

Draft