混合使用Asp.Net和MVC网站的表单身份验证单一登录
[英]Forms Authentication single sign on for Asp.Net and MVC sites mixed
问题描述
I have an old application written using old school asp.net (v2.0) which I need to integrate with a new site written using MVC3, .Net 4.0. 
我有一个使用老派asp.net(v2.0)编写的旧应用程序,我需要将该应用程序与使用MVC3,.Net 4.0编写的新站点集成。 (the old site can be upgraded to 4.0 if necessary) (如果需要,旧站点可以升级到4.0)
Is this possible? 这可能吗? I've read about using SSO with forms auth across multiple sites, but all posts have been about multiple asp.net, or multiple MVC sites - I haven't seen anything about mixing the two. 我已经读过有关在多个站点上使用带有表单身份验证的SSO的信息,但是所有帖子都涉及多个asp.net或多个MVC站点-我还没有看到有关将两者混合的任何信息。
If both sites are under the same domain, and have the same machine key, should this work? 如果两个站点都在同一个域中,并且具有相同的机器密钥,是否可以使用?
EDIT: An additional part to this question, if SSO can be made to work using forms auth, would it also be possible to allow both of these applications to use the same session state service, and therefore share session state across the applications? 编辑:这个问题的另外一部分,如果可以使用表单身份验证使SSO正常工作,是否还可以允许这两个应用程序使用相同的会话状态服务,从而在应用程序之间共享会话状态? I understand the sessionid is stored in the cookie, so would both applications be able to access the same session info for a single user? 我知道sessionid存储在cookie中,所以两个应用程序都能为一个用户访问相同的会话信息吗?
1 个解决方案
解决方案1
0 2013-04-16 02:02:57
Forms authentication is limited by domain (because cookies are limited to the domain (or subdomain if configured) by default. If within the same domain then yes. 表单身份验证受域限制(因为默认情况下cookie受限于域(或子域,如果已配置)。如果在同一域中,则为是。
Work arounds can be made to share authentication across domains as well though. 不过,也可以进行变通以在域之间共享身份验证。
One work around involves using a web service for remote authentication. 解决方法之一是使用Web服务进行远程身份验证。 Each site involved would use the same service for authentication, and even though authentication is still domain specific, a work around could be created involving passing an identification value to the request in the other domain. 所涉及的每个站点都将使用相同的服务进行身份验证,即使身份验证仍是特定于域的,也可以创建一种变通方法,包括将标识值传递给另一个域中的请求。 That identifier would be used to automatically authenticate the user, based on some common identifier (user id, email, etc). 该标识符将用于基于一些通用标识符(用户ID,电子邮件等)自动认证用户。 Since we're talking http communications, it doesn't necessarily "have" to be .net specific, though it'd be much simpler. 由于我们正在谈论http通讯,因此不一定要“ .net特定”,尽管它要简单得多。
There is also the OAuth open authentication protocol to consider. 还需要考虑OAuth开放式身份验证协议。 OAuth is supported by pretty much all major platforms, so it should be platform agnostic. 几乎所有主要平台都支持OAuth,因此它应该与平台无关。 However, I don't know about the idea of "auto-authentication upon redirects to your other apps, might be a violation of OAuth. If thats the case, a user would need to click a button to confirm of something. 但是,我不知道“重定向到您的其他应用程序时进行自动身份验证,可能违反了OAuth。如果是这种情况,用户将需要单击按钮以确认某些内容。
Good example of the OAuth is right here with Stack Overflow and the entire Stack Exchange family of sites. OAuth的一个很好的例子就是Stack Overflow和整个Stack Exchange系列站点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.