stackoom
  简体   繁体   中英

Secure MediaWiki from Public Access Authenticate Windows ASP server on Linux PHP

 原文  2011-05-20 14:57:05       asp.net/ windows/ linux/ apache/ iis-6

Question

We have a web application that runs on a IIS6 ASP.Net server. You must be logged in to use the software. Basically when you login a cookie is generated then when you visit subsequent pages they check for that cookie; if it is not there then you are redirected to login.

We want to implement a MediaWiki server using Linux/PHP (LAMP) to provide a "wiki" formatted help section for our users. However, we want to only allow access from people that are logged in to the software.

So we have software.company.com (Windows/IIS6/ASP.NET server) that you login and navigate to our help which redirects you to kb.company.com (Linux/Apache/PHP server).

My thoughts are to use the same sort of "cookie" checking on the linux server, but I'm not sure how to get the Windows IIS box to pass a token or something to the Linux server saying "hey this user is logged in so generate a cookie for them".

Anyone do anything like this? I may be completely missing the boat in my thinking...

1 answers

solution1
 1 ACCPTED  2011-05-22 13:58:44

The problem here is about how to tell the kb.company.com site that the inbound user is genuinely authenticated and logged into support.company.com .

We have a very similar setup. We have a reseller portal and we have a private knowledgebase wiki site.

To transfer users over to the wiki site we have a special link that requests a page on support.company.com which generates a blob of data and a session key (for example a guid or two) that is persisted to a "session transfer" database table that's accessible to both sites.

We then Response.Redirect() the user to the wikisite with this key, for example: 

http://kb.company.com/DoLogin.aspx?session=E97DDE8D-1C57-4450-ABE4-72E2054A1C82

In the wiki (we modified ScrewTurn wiki slightly) we have Forms Authentication turned on and deny access to anonymous users. The DoLogin.aspx grabs the session value from the query string and then looks for the record stored in the "session transfer" table. If there's a match then we authenticate the user and delete the session transfer record.

The session transfer record is also date and time stamped and is allowed a lifetime of 90 seconds after which a cleanup task will delete the record.

Rather than pass the session key value via the querystring you could pass this via a cookie where the cookie domain is set to company.com : 

HttpCookie cookie = new HttpCookie("session", "<guid>");
cookie.Domain = "company.com";

Further embellishments would be to encrypt the cookie value do some hashing and check for tampering on the other side of the transfer. However the content in our wiki isn't terribly valuable (none of it is editable by the end user), we just wanted to keep out casual passer's by, and this works just fine for us.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question in Xamarin/App how do I Secure Files on ASP.NET Restful Server in folders from other users and general public access public calendars from outlook in asp .net Wordpress Site From Windows Server to Linux Server How to Authenticate to a asp.Net webservice from Flash Media Server Cookies received from Server is Secure But Cookies sent to Server is not secure ASP.NET asp.net - Access public class in Masterpage from child page ASP.Net Web Forms App does not authenticate on server with Windows Authentication - fails impersonate ASP.NET MVC SQL Server not accesable when trying to authenticate or access roles? access a windows share from ASP.NET website - from asp.net to PHP with keeping virtual directories as it is on windows server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM