How can I know from a web application whether another web application is authenticated or not without using redirects?

Question

I have two asp.net web applications AppClient and AppServer. How can I know from AppClient whether AppServer is Authenticated or not?

I do not want to redirect to the server then redirect to the client. I hope if I can do that in background.

---

What I've tried so far :

In the server (AppServer): I created a page called IsAuthenticated.aspx in the AppServer and made it write in the Response whether AppServer is authenticated or not.

Response.Write(User.Identity.IsAuthenticated);

And in the client, I wrote the following code:

string url = "http://appServer/isauthenticated.aspx";
System.Net.HttpWebResponse response;
System.Net.HttpWebRequest request;

request = (HttpWebRequest)WebRequest.Create(url);
request.Method = "GET";
request.ContentType = "text/html";
request.Proxy.Credentials = CredentialCache.DefaultCredentials;
request.Credentials = CredentialCache.DefaultCredentials;
request.ServicePoint.ConnectionLimit = 25;
response = (HttpWebResponse)request.GetResponse();
StreamReader sr = new StreamReader(response.GetResponseStream());
string result = sr.ReadToEnd();

This code above works well but it does not do the expected result. The response returns always false even the AppServer is Authenticated.

Actually I understand what is happenning and seems my implementation is not true. Do you have any other suggestion?

Answer 1

You mean that you have two websites (say, www.client.com and www.server.com ) and your user is authenticated on www.server.com , and you want to check if he's authenticated there when he comes to www.client.com . Did I understand you correctly?

In this case your code obviously won't work (unless you use Windows authentication and impersonation).

Please, elaborate what you want to do. I see two cases, and the solution differs for each of them.

1) You don't want to check username and password on your www.client.com site, and you want to rely on www.server.com 's account database. This is similar to OpenID, Google SSO etc. In this case you need to implement a remote authentication function on www.server.com . Here's a draft:

[ServiceContract]
public interface IRemoteAuth
{
    [OperationContract]
    public bool CredentialsValid(string login, string hashedPassword)
    {
        return MyDatabaseHelper.IsPasswordValid(login, hashedPassword);
    }
}

Typically, these server methods are implemented as ASMX web services or WCF services (the second one seems the preferred way ).

2) You want www.client.com to know if the user is online and authenticated RIGHT NOW on www.server.com . In this case, you need to keep track of the currently online users on www.server.com (ASP.NET doesn't provide this information automatically IMO). Then you should design a service (again, ASMX or WCF) that answers a question 'is the user called XXX currently online or not?'.

[ServiceContract]
public interface IOnlineUsersInfo
{
    [OperationContract]
    public bool IsUserOnline(string login)
    {
        return MyOnlineUserList.Instance.Any(user => user.Login == login);
    }
}

Answer 2

Is the AppClient setup to use impersonation? If not the AppClient will always send the credentials of the user the application is running under which usually will be the network service account.