Develop a custom authentication and authorization system in consistence with web form application

Question

I am creating a new ASP.NET MVC 4 application (actually my first MVC application) that is a part of my previous ASP.NET web forms application. I have never used ASP.NET inbu

Answer 1

In a high-level concise overview you can do the following:

If you want to proceed with what you've got than the best solution is writing a custom HTTP module which handles the authentication for your MVC web app. Most authentication modules (Windows, Forms, etc) are done through HTTP modules. Here you can read the request and corresponding cookies and set the principal object of the current request and thread. Also if a HTTP 401 occurs - because a unauthenticated user is requesting a secured resource of your mvc webapp - you can redirect them to the login page of your other web app and let them redirect the user back to the one the user was originally requesting.

A different road you may take is re-evaluating what you've got. You are basically trying to achieve Single Sign On and federated identity / authentication for your applications. For this I would recommend solutions designed for this. The SAML and WS-Federation protocol are two popular standards that provides this. Both protocols achieve more or less the same goals.

There are a lot of solutions out there which are based on one if these protocols.

One, for example is the Windows Identity Foundation. As of .Net 4.5, this is integrated in the .Net framework. Before that available as a separate download. WIF supports the WS-Federation protocol. Here everything is based on what they call claim based security (see more info on this subject by the links below).

The SAML protocol is not supported by WIF although there exists some old library which is a CTP version. I would not recommend using it.

Going down the road of re-evaluating how you authenticate your users and manage their identities could be a lot of work. So it's up to you to decide if it's worth the investment. I have to finish but here are some more links to the subjects at hand:

• Federated Identity
• Introduction to claims
• Claims based Identity
• Introduction to claims based security - part 1 and al the other parts.
• SSO vs federated login

Although it's not a ready to use answer I hope it helps you in finding your answer. Good luck!

Answer 2

If you hand-roll your own authentication, the security can only be the as strong as how you store Ticket in client side cookie securely.

Normally, you want to encrypt the auth ticket/token and access via SSL. As long as you store the cookie securely at client side, it should not be an issue.

I also would like to suggest to take a look at how ASP.Net creates Form Authentication Ticket.

Note: If you use ASP.Net Form Authentication Ticket you do not need to store ticket/token in database, because user will send the auth ticket to server on every page request.

var now = DateTime.UtcNow.ToLocalTime();

var ticket = new FormsAuthenticationTicket(
                1, /*version*/
                MemberID,
                now,
                now.Add(FormsAuthentication.Timeout),
                createPersistentCookie,
                TokenID, /*custom data*/
                FormsAuthentication.FormsCookiePath);

var encryptedTicket = FormsAuthentication.Encrypt(ticket);

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
{
   HttpOnly = true,
   Secure = FormsAuthentication.RequireSSL,
   Path = FormsAuthentication.FormsCookiePath
};

if (ticket.IsPersistent)
{
   cookie.Expires = ticket.Expiration;
}
if (FormsAuthentication.CookieDomain != null)
{
   cookie.Domain = FormsAuthentication.CookieDomain;
}

_httpContext.Response.Cookies.Add(cookie);

How to create Principal Object

Once authenticated user is requested a page, you need to retrieve auth ticket from cookie, and create a Principal object.

// In Global.asax.cs
void Application_AuthenticateRequest(object sender, EventArgs e)
{
   HttpCookie decryptedCookie = 
      Context.Request.Cookies[FormsAuthentication.FormsCookieName];

   FormsAuthenticationTicket ticket = 
      FormsAuthentication.Decrypt(decryptedCookie.Value);

   var identity = new GenericIdentity(ticket.Name);
   var principal = new GenericPrincipal(identity, null);

   HttpContext.Current.User = principal;
   Thread.CurrentPrincipal =HttpContext.Current.User;
}

// In action method, how to check whether user is logged in 
if (User.Identity.IsAuthenticated)
{

}

Do I need to extend cookie expiration?

If you leave slidingExpiration as true (which is true by default), it will increase the expiration time automatically. (Read more on article)