Multiple login locations for an online app

Question

I am working on a browser based application that will have many users. The catch is that every user should have their own customized login page, but the actual application is the same for everyone, and needs to be in a central location.

The login page is static. That is, if we have a user that requires a separate login, we will make a separate landing page for them, lets say at user1.application.com, that will have a blue background. User two will be handed a url to user2.application.com, which will have a green background. The application does not have to dynamically change the look of the login page, that will be static and managed on a higher level.

What is the most secure way of doing this?

Would it make more sense to have a copy of the application for each user, and keep the database centralized?

The projected number of users is not very high, probably around 20-80.

Thank you,

Answer 1

I can give you instructions on how to do this using Microsoft IIS and ASP.NET. Other servers and programming languages still apply, but the specifics will be a little different.

You'll need to have access to your DNS settings. Create a DNS entry for *.applicaiton.com. We do this as a CNAME record that points to our www domain record that is registered as the A record that is associated with the IP Address.

Option 1: In IIS 6, create a web site and modify the Host Headers (web site Properties, Web Site tab, "Advanced..." button in the "Web site identification" section). Add an empty host header. This will cause that web site of IIS to answer all requests for all domains associated with the IP Address it is listening on.

Then create a default page and in the code behind, you'll have logic that looks at the Request.UserHostName of each request. It should return "user1.application.com" or "user2.application.com" or perhaps "www.application.com". You'll then have to parse that string and do all the dirty work to load the appropriate page.

Hmm, well, that's how you would do it dynamically, with one web site. Re-reading your question, you talk about "static" login pages. For that you have two options. You can create the static login pages and have your dynamic page read those files and send them down as the response, or option two would be...

Option 2: In IIS, create a new web site for every user. Modify the host headers as described above such that each web site only have one host header that is equal to the user's login. Do not have a web site with an empty host header. You'll have to create a web site and add the host header for every new user, manually.

Neither option may sound very elegant, but Option 1 does work rather well. We are using it in a similar fashion to host multiple "skins" of our application.