Forms Authentication Across Applications (edit)
Share Forms Authentication Ticket between multiple applications
Sharing Authentication Tickets Across Applications
ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications.
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
Applications that run ASP.NET version 2.0 or later can share forms authentication ticket information with earlier versions of ASP.NET if you include decryption="3DES" in the machineKey element for each ASP.NET version 2.0 (or later) application.
- ASP.NET Forms Authentication
- ASP.NET Membership
- MembershipProvider > SqlMembershipProvider
- Forms Authentication Tickets
- Protect Authentication Tickets with SSL
- Do Not Persist Forms Authentication Cookies
- Use Distinct Cookie Names and Paths
- Keep Authentication and Personalization Cookies Separate
- Use Absolute URLs for Navigation
- Determining Whether a Browser Accepts Cookies
Solution to share authentication between multiple applications:
- enableCrossAppRedirects= true
Failing to protect authentication tickets is a common vulnerability that can lead to unauthorized spoofing and impersonation, session hijacking, and elevation of privilege. When you use forms authentication, consider the following recommendations to help ensure a secure authentication approach:
- Restrict the authentication cookie to HTTPS connections. To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use Secure Sockets Layer (SSL) with all pages that require authenticated access and restrict forms authentication tickets to SSL channels.
- Partition the site for SSL. This allows you to avoid using SSL for the entire site.
- Do not persist forms authentication cookies. Do not persist authentication cookies because they are stored in the user's profile on the client computer and can be stolen if an attacker gets physical access to the user's computer
- Consider reducing ticket lifetime. Consider reducing the cookie lifetime to reduce the time window in which an attacker can use a captured cookie to gain access to your application with a spoofed identity.
- Consider using a fixed expiration. In scenarios where you cannot use SSL, consider setting slidingExpiration="false".
- Enforce strong user management policies. Use and enforce strong passwords for all user accounts to ensure that people cannot guess one another's passwords and to mitigate the risk posed by dictionary attacks.
- Enforce password complexity rules. Validate passwords entered through the CreateUserWizard control, by setting its PasswordRegularExpression property to an appropriate regular expression. Also configure the membership provider on the server to use the same regular expression.
- Perform effective data validation on all requests. Perform strict data validation to minimize the possibilities of SQL injection and cross-site scripting.
- Use distinct cookie names and paths. By ensuring unique cookie names and paths, you prevent possible problems that can occur when hosting multiple applications on the same server.
- Keep authentication and personalization cookies separate. Keep personalization cookies that contain user-specific preferences and non-sensitive data separate from authentication cookies.
- Use absolute URLs for navigation. This is to avoid potential issues caused by redirecting from HTTP to HTTPS pages.
icacls C:\inetpub\wwwroot\mysite\ /grant "IIS APPPOOL\DEFAULTAPPPOOL":(CI)(OI)(M)
Security Basics and ASP.NET Support (C#)
Google Search Code
Microservices Online + Azure Online Training
Custom Authentication and Authorization in ASP.NET MVC
https://asp.net-hacker.rocks/2019/02/26/cutom-auth-cookie.html (HAY HAY HAY)
https://includestdio.com/5700.html (HAY HAY HAY HAY HAY HAY HAY HAY HAY HAY)
Cookie-Based Authentication Scenarios