One of our clients is having an issue with using SSO to log into our website from their web application. In their ASP.NET web app, a user clicks a button to and their application executes code to first call our web service to retrieve an encrypted URL. The encrypted URL is then passed to Response.Redirect(url) to redirect the user from their page to the dashboard page of our site using the token URL that was returned from web services. The problem they are encountering is that Response.Redirect is dropping the session cookies that we send to their browser. The session cookies contain a session id and other information we use to identify an authorized session on our web site. After they attempt to use the token URL to log into our site, they are redirected to our login page. The same behavior happens when they use JavaScript instead to redirect the user to our dashbaord. Additionally, the client has confirmed that they are able to copy and paste the token URL into a separate browser window (before Response.Redirect is called) and log into our system without issues. It is only through the redirect that we are dropping their session. What are they doing wrong and is there a better alternative than using Response.Redirect?
<head runat="server"> <title></title> </head> <body> <form id="form1" runat="server" name="form1"> <div> <asp:Button ID="btn" runat="server" Text="Link to Vendor's User Interface" OnClick="btn_Click" /> </div> </form> </body> </html>
protected void btn_Click(object sender, EventArgs e) { var test2 = this.GetTokenURLFromVendor("jdoe"); Response.Redirect(tokenURL); } public string GetTokenURLFromVendor(string UserLogOn) { var returnURL = string.Empty; //Call Vendor to export details about the user we want to log into their UI. UserService.GetUserDetailResponse userResponse = null; UserService.UserClient client1 = new UserService.UserClient(); client1.ClientCredentials.UserName.UserName = ConfigurationManager.AppSettings["ClientUserName"]; client1.ClientCredentials.UserName.Password = ConfigurationManager.AppSettings["ClientPassword"]; UserService.GetUserDetailRequest clientRequest1 = new UserService.GetUserDetailRequest(); UserService.GetUserDetailResponse clientResponse1 = new UserService.GetUserDetailResponse(); clientRequest1.CompanyID = new Guid(ConfigurationManager.AppSettings["CompanyGUID"]); clientRequest1.Logon = ConfigurationManager.AppSettings["AdminLogon"]; clientRequest1.LogonName = UserLogOn; userResponse = client1.GetUserDetail(clientRequest1); //Call Vendor's web service for a encrypted URL to log the user into their UI. SecurityClient client = new SecurityClient("ClearUsernameBinding_ISecurity"); client.ClientCredentials.UserName.UserName = ConfigurationManager.AppSettings["ClientUserName"]; client.ClientCredentials.UserName.Password = ConfigurationManager.AppSettings["ClientPassword"]; GetQuickLinkRequest clientRequest = new GetQuickLinkRequest(); ResponseGetQuickLink clientResponse = new ResponseGetQuickLink(); QuickLinkInfo clientQuicklink = new QuickLinkInfo(); clientQuicklink.UserLogon = userResponse.User.Logon; clientQuicklink.FirstName = userResponse.User.FirstName; clientQuicklink.LastName = userResponse.User.LastName; clientQuicklink.Role = userResponse.User.AssignedRoles.FirstOrDefault(); clientQuicklink.GroupName = userResponse.User.GroupName; clientQuicklink.LogonExpires = userResponse.User.EndDate; clientQuicklink.AfterRecordAccessAction = "Logout"; clientRequest.QuickLinkInfo = clientQuicklink; clientRequest.CompanyID = new Guid(ConfigurationManager.AppSettings["CompanyGUID"]); clientRequest.Logon = ConfigurationManager.AppSettings["AdminLogon"]; clientResponse = client.GetQuickLink(clientRequest); if (clientResponse.Status == WebApplication5.SecurityService.ResponseStatusType.Success) { returnURL = clientResponse.Url; } return returnURL; }
var
This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)
Submit an article or tip