Login Cookie Encryption

[ajbescrivo]

Hi!

I am currently trying to integrate AbleCommerce's login system with another ASP.NET-based application.

I think the easiest way to proceed will be for users to login using AbleCommerce and then for the other application to use this information.

In order to do this I would like for the other application to be able to decrypt and use AbleCommerce's login cookie.

Is this possible? How is the cookie encrypted? Where can I find the decryption key? Is there any control over the data that is stored in the cookie (it might be useful if I had access to the customer's email address via the cookie for example)?

Many thanks for your help

Andrew

[mazhar]

I think AbleCommerce doesn't uses any custom cookie for the state management, because AbleCommerce makes use of FormsAuthentication feature of ASP.NET so all the state handling is being done by ASP.NET. AbleCommerece saves one cookie that contains the name of the user and that is for the reason that user don't need to reenter the user name, this cookie is not encrypted. You can see the LoginDialog control for more information about this cookie

[ajbescrivo]

Thanks for your reply!

So do you know if it is possible to unencrypt the cookie used by FormsAuthentication to manage the login? Or is it possible to achieve a single-sign-on between AbleCommerce and another application via other means (so that users only have to log in on AbleCommerce to use both applications)?

Andrew

[mazhar]

I assume that you have the other application nested within AC, for example I call it the ablechild having a page Default.aspx. The URL to this default page would be

Code: Select all

http://localhost/ablesite/ablechild/Default.aspx

Now first of all you need to disable the anonymus user access on this child application. for that add a web.config file with following contents in the folder named ablechild

Code: Select all

<?xml version="1.0"?>
<!-- 
    Note: As an alternative to hand editing this file you can use the 
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in 
    machine.config.comments usually located in 
    \Windows\Microsoft.Net\Framework\v2.x\Config 
-->
<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

Now if you try to navigate to the following page

Code: Select all

http://localhost/ablesite/ablechild/Default.aspx

as anonymous user, you will get a redirect to the Able login page.
You can use the following code in the child application to get the currently logged on user name

Code: Select all

UserName.Text = User.Identity.Name;

for example write the above code in the Page_Load method of the child application's default page as below

Code: Select all

protected void Page_Load(object sender, EventArgs e)
    {
        Response.Write(User.Identity.Name);
    }

Now when you login to the AbleCommerce and then navigate to the default page of the child application the page will show you the AbleCommerce user's name.