Page 1 of 1
Login Cookie Encryption
Posted: Fri Oct 03, 2008 11:17 am
by ajbescrivo
Hi!
I am currently trying to integrate AbleCommerce's login system with another ASP.NET-based application.
I think the easiest way to proceed will be for users to login using AbleCommerce and then for the other application to use this information.
In order to do this I would like for the other application to be able to decrypt and use AbleCommerce's login cookie.
Is this possible? How is the cookie encrypted? Where can I find the decryption key? Is there any control over the data that is stored in the cookie (it might be useful if I had access to the customer's email address via the cookie for example)?
Many thanks for your help
Andrew
Re: Login Cookie Encryption
Posted: Mon Oct 06, 2008 9:58 am
by mazhar
I think AbleCommerce doesn't uses any custom cookie for the state management, because AbleCommerce makes use of FormsAuthentication feature of ASP.NET so all the state handling is being done by ASP.NET. AbleCommerece saves one cookie that contains the name of the user and that is for the reason that user don't need to reenter the user name, this cookie is not encrypted. You can see the LoginDialog control for more information about this cookie
Re: Login Cookie Encryption
Posted: Mon Oct 06, 2008 10:10 am
by ajbescrivo
Thanks for your reply!
So do you know if it is possible to unencrypt the cookie used by FormsAuthentication to manage the login? Or is it possible to achieve a single-sign-on between AbleCommerce and another application via other means (so that users only have to log in on AbleCommerce to use both applications)?
Andrew
Re: Login Cookie Encryption
Posted: Mon Oct 06, 2008 12:33 pm
by mazhar
I assume that you have the other application nested within AC, for example I call it the ablechild having a page Default.aspx. The URL to this default page would be
Code: Select all
http://localhost/ablesite/ablechild/Default.aspx
Now first of all you need to disable the anonymus user access on this child application. for that add a web.config file with following contents in the folder named ablechild
Code: Select all
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Now if you try to navigate to the following page
Code: Select all
http://localhost/ablesite/ablechild/Default.aspx
as anonymous user, you will get a redirect to the Able login page.
You can use the following code in the child application to get the currently logged on user name
Code: Select all
UserName.Text = User.Identity.Name;
for example write the above code in the Page_Load method of the child application's default page as below
Code: Select all
protected void Page_Load(object sender, EventArgs e)
{
Response.Write(User.Identity.Name);
}
Now when you login to the AbleCommerce and then navigate to the default page of the child application the page will show you the AbleCommerce user's name.