EnableCrossAppRedirects – Where is the cross-domain feature documented?

Here an interesting feature of ASP.NET FormsAuthentication explained in this SO answer: How do you pass an authenticated session between app domains

Quick summary; you can create two ASP.NET websites with the same encryption keys. WebsiteA can create a formsauth token, and redirect to WebsiteB with the token in the querystring (or POST body). Switch on EnableCrossAppRedirects in WebsiteB and ASP.NET detects the token and creates the formsauth cookie. In code:

FormsAuthentication.RedirectFromLoginPage("alice", true);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket("Alice", true, 30);
string encrypted = FormsAuthentication.Encrypt(ticket);
Response.Redirect("http://siteb.dev/Secure/WebForm1.aspx?" + FormsAuthentication.FormsCookieName + "=" + encrypted);

Sounds like a great feature, but where is it documented? I’d feel a bit uneasy using a undocumented feature.

Where I’ve looked – no mention of this feature in any of the MSDN reference. I thought maybe RedirectFromLoginPage would build a redirect like my code above, it doesn’t.

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Having looked at reflector there is a (somewhat undocumented) feature of forms Authentication. When EnableCrossAppRedirects is enabled .NET will, in addition to looking for the auth cookie, attempt to extract the forms authentication “cookie” from either the form post or the query string. This code is embedded in the FormsAuthentication class in the ExtractTicketFromCookie method, where it can clearly been seen trying to find the authentication cookie in the request data.

if (FormsAuthentication.EnableCrossAppRedirects)
{
    text = context.Request.QueryString[name];
    if (text != null && text.Length > 1)
    {
        if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)
        {
            cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode);
        }
        try
        {
            formsAuthenticationTicket = FormsAuthentication.Decrypt(text);
        }
        catch
        {
            flag2 = true;
        }
        if (formsAuthenticationTicket == null)
        {
            flag2 = true;
        }
    }
    if (formsAuthenticationTicket == null || formsAuthenticationTicket.Expired)
    {
        text = context.Request.Form[name];
        if (text != null && text.Length > 1)
        {
            if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)
            {
                cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode);
            }
            try
            {
                formsAuthenticationTicket = FormsAuthentication.Decrypt(text);
            }
            catch
            {
                flag2 = true;
            }
            if (formsAuthenticationTicket == null)
            {
                flag2 = true;
            }
        }
    }
}

Therefore if you enable EnableCrossAppRedirects on both applications, then the first application is authorised to redirect to the external site, and the second application will automatically read in the authentication cookie from the request. You just need to engineer it so that the return login URL either posts the cookie data or sends it in the querystring. You also need to be sure that either the machine keys are synchronised, or that the cookie is encrypted using the external apps machine key (by the first app). It seems by default .NET will send the encrypted authentication cookie in the querystring for you and asume your machine keys are in sync (see MSDN quote below).

Here’s some more info on MSDN .

If the CookiesSupported property is true, and either the ReturnUrl
variable is within the current application or the
EnableCrossAppRedirects property is true, then the
RedirectFromLoginPage method issues an authentication ticket and
places it in the default cookie using the SetAuthCookie method.

If CookiesSupported is false and the redirect path is to a URL in the
current application, the ticket is issued as part of the redirect URL.
If CookiesSupported is false, EnableCrossAppRedirects is true, and the
redirect URL does not refer to a page within the current application,
the RedirectFromLoginPage method issues an authentication ticket and
places it in the QueryString property
.

There is a big warning about the impact on security. EnableCrossAppRedirects is a security setting which prevents ASP.NET login controls from redirecting to an external return URL (another web application). With this setting enabled it can be exploited in some forms of attack – a user is sent to the official login page, but on login is redirected to a different application which they may believe is the same. This is why it’s disabled by default.

One way to help mitigate this when enabling the feature is as follows:

To improve security when using cross-application redirects, you should
override the RedirectFromLoginPage method to allow redirects only to
approved Web sites.

You also need to ensure the redirect request is served over SSL to protect the “cookie” in transit, as anyone intercepting would be able to gain control of the account.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x