Forms Authentication Across Applications (edit)
How ASP.NET Security Works | Microsoft Docs
ASP.NET Security Architecture | Microsoft Docs
ASP.NET Security Data Flow | Microsoft Docs
Basic Security Practices for Web Applications | Microsoft Docs
Web Application Security at Run Time | Microsoft Docs
FormsAuthenticationModule Class (System.Web.Security) | Microsoft Docs
ASP.NET Machine Key Generator - developer Fusion (HAY)
asp.net - what is ASPXAUTH cookie? - Stack Overflow (HAY)
Keywords:
Share Forms Authentication Ticket between multiple applications
Sharing Authentication Tickets Across Applications
Share authentication cookies among ASP.NET apps | Microsoft Docs
c# - Multiple .NET Applications Share Authentication - Stack Overflow
Forms Authentication Across Applications | Microsoft Docs
Any Forms Auth Changes in 4.5 (microsoft.com)
Other:
Forms Authentication Provider | Microsoft Docs
Forms Authentication Across Applications | Microsoft Docs
Configuring an ASP.NET Application to Use Membership | Microsoft Docs
How to: Implement Simple Forms Authentication | Microsoft Docs
Use ASP.NET forms-based authentication - ASP.NET | Microsoft Docs
ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
Note
Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.
- ASP.NET Forms Authentication
- ASP.NET Membership
- MembershipProvider > SqlMembershipProvider
- Forms Authentication Tickets
- Protect Authentication Tickets with SSL
- Do Not Persist Forms Authentication Cookies
- Use Distinct Cookie Names and Paths
- Keep Authentication and Personalization Cookies Separate
- Use Absolute URLs for Navigation
- ASPXAUTH
- ASPXFORMSAUTH
- Determining Whether a Browser Accepts Cookies
Solution to share authentication between multiple applications:
- machineKey
- domain="ketoanhanoi.com.vn"
- enableCrossAppRedirects= true
Machine Key
How To: Configure MachineKey in ASP.NET 2.0 | Microsoft Docs
Setting up a machine key - Orchard Documentation (orchardcore.net)
SqlMembershipProvider Class (System.Web.Security) | Microsoft Docs
How to: Implement Simple Forms Authentication | Microsoft Docs
How To: Use Forms Authentication with SQL Server in ASP.NET 2.0 | Microsoft Docs
How To: Protect From Injection Attacks in ASP.NET | Microsoft Docs
Security Considerations
Failing to protect authentication tickets is a common vulnerability that can lead to unauthorized spoofing and impersonation, session hijacking, and elevation of privilege. When you use forms authentication, consider the following recommendations to help ensure a secure authentication approach:
- Restrict the authentication cookie to HTTPS connections. To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use Secure Sockets Layer (SSL) with all pages that require authenticated access and restrict forms authentication tickets to SSL channels.
- Partition the site for SSL. This allows you to avoid using SSL for the entire site.
- Do not persist forms authentication cookies. Do not persist authentication cookies because they are stored in the user's profile on the client computer and can be stolen if an attacker gets physical access to the user's computer
- Consider reducing ticket lifetime. Consider reducing the cookie lifetime to reduce the time window in which an attacker can use a captured cookie to gain access to your application with a spoofed identity.
- Consider using a fixed expiration. In scenarios where you cannot use SSL, consider setting slidingExpiration="false".
- Enforce strong user management policies. Use and enforce strong passwords for all user accounts to ensure that people cannot guess one another's passwords and to mitigate the risk posed by dictionary attacks.
- Enforce password complexity rules. Validate passwords entered through the CreateUserWizard control, by setting its PasswordRegularExpression property to an appropriate regular expression. Also configure the membership provider on the server to use the same regular expression.
- Perform effective data validation on all requests. Perform strict data validation to minimize the possibilities of SQL injection and cross-site scripting.
- Use distinct cookie names and paths. By ensuring unique cookie names and paths, you prevent possible problems that can occur when hosting multiple applications on the same server.
- Keep authentication and personalization cookies separate. Keep personalization cookies that contain user-specific preferences and non-sensitive data separate from authentication cookies.
- Use absolute URLs for navigation. This is to avoid potential issues caused by redirecting from HTTP to HTTPS pages.
AspNetMembership Samples
ASP.NET Membership and Role Provider - CodeProject (HAY)
Setting up a machine key - Orchard Documentation (orchardcore.net)
HTTP Error 401.0 - Unauthorized | The ASP.NET Forums
Application Root Directory Configuration File (Web.config) | Microsoft Docs
AddUser Directory Configuration File (Web.config) | Microsoft Docs
AspNetSqlMembershipProvider
icacls C:\inetpub\wwwroot\mysite\ /grant "IIS APPPOOL\DEFAULTAPPPOOL":(CI)(OI)(M)
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regsql.exe
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\Aspnet_regsql.exe
%SystemDrive%\inetpub\logs\FailedReqLogFiles\
%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\CONFIG\machine.config
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\CONFIG\machine.config
%WINDIR%\System32\InetSrv\Config\applicationHost.config
Security Basics and ASP.NET Support (C#)
Security Basics and ASP.NET Support (C#) | Microsoft Docs
Google Search Code
C# Corner - Community of Software and Data Developers (c-sharpcorner.com)
Dot Net Tricks : Unlimited Live Training, Prepare for Interviews, and Get Hired
Microservices Online + Azure Online Training
Microsoft Azure Certification Training | Azure Online Training (dotnettricks.com)
Best Microservices Online Training | Microservices Certification (dotnettricks.com)
Custom Authentication and Authorization in ASP.NET MVC
Custom Authentication With ASP.NET MVC (c-sharpcorner.com)
Custom Authentication and Authorization in ASP.NET MVC (dotnettricks.com)
Using Forms Authentication in ASP.NET MVC Applications (codeguru.com)
ASP.NET MVC 5: Building Your First Web Application - Part 1 - CodeProject
Authentication and Authorization in MVC - Dot Net Tutorials
FormsAuthentication in ASP.NET MVC - Dot Net Tutorials
Role-Based Authentication in MVC - Dot Net Tutorials
Role Based Menus in MVC Application - Dot Net Tutorials
Forms Authentication In MVC (c-sharpcorner.com)
https://asp.net-hacker.rocks/2019/02/26/cutom-auth-cookie.html (HAY HAY HAY)
https://stackoverflow.com/questions/9899473/custom-formsauthenticationticket-validation
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/forms-authentication-configuration-and-advanced-topics-cs
https://www.aspsnippets.com/Articles/Forms-Authentication-using-FormsAuthentication-Ticket-Cookie-example-in-ASPNet-MVC.aspx
https://www.itprotoday.com/web-application-management/add-custom-info-authentication-cookies
https://kevww.wordpress.com/2011/11/18/implement-formsauthentication-with-custom-identity-in-asp-net-mvc/
http://shawnmclean.com/storing-strongly-typed-object-user-profile-data-in-asp-net-forms-authentication-cookie/
https://includestdio.com/5700.html (HAY HAY HAY HAY HAY HAY HAY HAY HAY HAY)
http://www.primaryobjects.com/2012/12/07/mvc-forms-authentication-and-storing-data-in-the-cookie/
http://pl-developer.blogspot.com/2012/10/aspnet-custom-formsauthentication.html
https://www.c-sharpcorner.com/article/facebook-authentication-for-Asp-Net-mvc-web-application/
https://www.c-sharpcorner.com/UploadFile/1b9079/using-facebook-authentication-in-Asp-Net-mvc/
Cookie-Based Authentication Scenarios
https://www.c-sharpcorner.com/article/cookie-authentication-in-net-core-3-0/
https://www.aspsnippets.com/Articles/Cookie-based-Authentication-Login-example-in-ASPNet-MVC.aspx