0

I am calling a webpage from an external webpage and I am passing a user id with the call (http://localhost:54697/?position='position'&user='user'). What I want to do is I want to put the user into an authentication process using the request variable.

It is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it?

Or is there any suggestion?

UPDATE:

The external site has the credential info that is needed for my site's authorization. Shortly, I have a system on which I can go through several other websites via menus. One menu link will go to this (http://localhost:54697/?position='position'&user='user') Asp.Net MVC web site. Whenever the user clicks to the link, a userid will be sent through the link. Based on the userid I will go through an authorization process on which I will check the userid and show menus based on the roles associated with the userid. In the controller I can get the userid however, I do not want to check the roles in every controller. Whenever the link is clicked I want the system to go through a role provider and assign the roles associated with the userid and place role annotators to the controllers. As stated above I am not sure if it is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it? Or Can I use the constructor of the controller for this purpose?

ilhank
  • 148
  • 6
  • 25
  • Please provide more detail around what it is you are trying to acheive., such as what type of authentication do you want your app to be set up with? Do you mean that you want to set up External Authentication (such as logging into your app via credentials from external site like twitter, facebook, etc. ...)? Or do you mean that the external site has the credential info that is needed for your site's forms based authentication? – C Murphy Feb 14 '20 at 15:24
  • @CMurphy thank you very much for your reply. I just updated the question. – ilhank Feb 14 '20 at 20:58
  • So basically Site A authenticates the user, and then redirect to Site B to some URL `siteB.com/?user=BobTheUser` and Site B skips login and authenticates `BobTheUser`? – AaronLS Feb 14 '20 at 20:59
  • @AaronLS yes that's mostly correct, site B skips the login but has to check for roles associated with the user. I am planning to use a rolemanager with is derived from System.Web.Security.RoleProvider. I want to use GetRolesForUser() method to fetch roles related to user and return them. – ilhank Feb 14 '20 at 21:14
  • @ilhank You can manually authenticate a user like so, this the same for MVC or ASP.NET, but if you're using Core it will be different: https://stackoverflow.com/questions/7217105/how-can-i-manually-create-a-authentication-cookie-instead-of-the-default-method – AaronLS Feb 14 '20 at 21:20
  • 1
    @ilhank The problem is nothing stops user Jim from building the URL `siteB.com/?user=BobTheUser` and logging in as Bob. I've seen all kinds of easily defeated schemes like this. Doing cross site authentication is complicated, and you shouldn't roll your own, because even experienced devs find it challenging. Use existing single signon technologies like OAuth instead. When it comes to security, you shouldn't roll your own. – AaronLS Feb 14 '20 at 21:23
  • Does this answer your question? [How can I manually create a authentication cookie instead of the default method?](https://stackoverflow.com/questions/7217105/how-can-i-manually-create-a-authentication-cookie-instead-of-the-default-method) – AaronLS Feb 14 '20 at 21:24
  • @AaronLS Well, actually this is not clear to me, I need to work on this. I want to pass request parameter to RoleProvider. Cookies may be a solution for this. Is there any other way to do it? – ilhank Feb 14 '20 at 22:24

0 Answers0