Click here to Skip to main content
15,353,741 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
One of our clients is having an issue with using SSO to log into our website from their web application. In their ASP.NET web app, a user clicks a button to  and their application executes code to first call our web service to retrieve an encrypted URL. The encrypted URL is then passed to Response.Redirect(url) to redirect the user from their page to the dashboard page of our site using the token URL that was returned from web services. The problem they are encountering is that Response.Redirect is dropping the session cookies that we send to their browser. The session cookies contain a session id and other information we use to identify an authorized session on our web site. After they attempt to use the token URL to log into our site, they are redirected to our login page. The same behavior happens when they use JavaScript instead to redirect the user to our dashbaord. Additionally, the client has confirmed that they are able to copy and paste the token URL into a separate browser window (before Response.Redirect is called) and log into our system without issues. It is only through the redirect that we are dropping their session.

What are they doing wrong and is there a better alternative than using Response.Redirect? 


ASPX File
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server" name="form1">
        <div>
            <asp:Button ID="btn" runat="server" Text="Link to Vendor's User Interface" OnClick="btn_Click" />
        </div>
    </form>
</body>
</html>



Code Behind File

protected void btn_Click(object sender, EventArgs e)
    {
       var test2 = this.GetTokenURLFromVendor("jdoe");
       Response.Redirect(tokenURL);
    }


    public string GetTokenURLFromVendor(string UserLogOn)
    {
        var returnURL = string.Empty;
        
        //Call Vendor to export details about the user we want to log into their UI.
        UserService.GetUserDetailResponse userResponse = null;
        UserService.UserClient client1 = new UserService.UserClient();
        client1.ClientCredentials.UserName.UserName = ConfigurationManager.AppSettings["ClientUserName"];
        client1.ClientCredentials.UserName.Password = ConfigurationManager.AppSettings["ClientPassword"];

        UserService.GetUserDetailRequest clientRequest1 = new UserService.GetUserDetailRequest();
        UserService.GetUserDetailResponse clientResponse1 = new UserService.GetUserDetailResponse();
        clientRequest1.CompanyID = new Guid(ConfigurationManager.AppSettings["CompanyGUID"]);
        clientRequest1.Logon = ConfigurationManager.AppSettings["AdminLogon"];
        clientRequest1.LogonName = UserLogOn;
        userResponse = client1.GetUserDetail(clientRequest1);

        //Call Vendor's web service for a encrypted URL to log the user into their UI.
        SecurityClient client = new SecurityClient("ClearUsernameBinding_ISecurity");
        client.ClientCredentials.UserName.UserName = ConfigurationManager.AppSettings["ClientUserName"]; 
        client.ClientCredentials.UserName.Password = ConfigurationManager.AppSettings["ClientPassword"]; 
        GetQuickLinkRequest clientRequest = new GetQuickLinkRequest();
        ResponseGetQuickLink clientResponse = new ResponseGetQuickLink();
        QuickLinkInfo clientQuicklink = new QuickLinkInfo();
        clientQuicklink.UserLogon = userResponse.User.Logon; 
        clientQuicklink.FirstName = userResponse.User.FirstName;
        clientQuicklink.LastName = userResponse.User.LastName;
        clientQuicklink.Role = userResponse.User.AssignedRoles.FirstOrDefault(); 
        clientQuicklink.GroupName = userResponse.User.GroupName; 
        clientQuicklink.LogonExpires = userResponse.User.EndDate; 
        clientQuicklink.AfterRecordAccessAction = "Logout";
        clientRequest.QuickLinkInfo = clientQuicklink;
        clientRequest.CompanyID = new Guid(ConfigurationManager.AppSettings["CompanyGUID"]); 
        clientRequest.Logon = ConfigurationManager.AppSettings["AdminLogon"];
        clientResponse = client.GetQuickLink(clientRequest);

        if (clientResponse.Status == WebApplication5.SecurityService.ResponseStatusType.Success)
        {
            returnURL = clientResponse.Url;
        }

        return returnURL;
    }


What I have tried:

Tried using the window.open(url) command to open the SSO URL, but the session is still dropped. Tried using other javascript commands as well.
Posted
Comments
F-ES Sitecore 19-Aug-20 11:21am
   
Could you clarify what is setting the cookies and what is trying to read them? Cookies\session is only valid on the domain that set the cookie, you can't redirect to another domain and have that domain access the cookies\session set on the previous domain.
Member 12756784 19-Aug-20 11:53am
   
Our servers that the client is sending the request to retrieve a SSO URL is setting the cookie and session info. We are sending this back to the browser that is being used to initiate the session. I don't believe the client's web app is attempting to read the cookies, but we expect their redirect request to contain the same cookie information that we sent back to them.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900