I am building a sister site. I want my logged in user to be able to login to the sister site.
The user is entered into both databases and has a token (guid) that matches.
I am posting the token in a token-auth page via httpwebrequest to the sister site. The sister sites locates the user from the database with the matching token.
(so far so good)
The token-auth page (via httpwebrequest) is supposed to set a cookie that my forms authentication checks. (Then the page does a redirect to the sister site and user should be logged in.)
The problem is the last part. The cookie is not being set by the token-auth page via httpwebrequest. Thus, forms authentication fails and the user login appears.
I see the cookie from the httpwebrequest via the CookieContainer; however it's not being saved to the cookies on the computer... and then the authentication on the redirect fails.
Anyone know how to get the cookies to save via httpwebrequest? This should be possible right?
Here's some code:
The HttpWebRequest page (on load)
Dim baseURL As String = "http://localhost:5894" Dim poststring As String = String.Format("token={0}", u.toolkit_token) Dim url As String = baseURL & "/GetAuthToken.aspx" Dim cookies As CookieContainer = New CookieContainer() Dim req As HttpWebRequest = DirectCast(WebRequest.Create(url), HttpWebRequest) req.Accept = "*/*" req.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)" req.Method = "POST" req.ContentType = "application/x-www-form-urlencoded" req.AllowAutoRedirect = False req.CookieContainer = cookies Dim bytedata() As Byte = Encoding.UTF8.GetBytes(poststring) req.ContentLength = bytedata.Length Dim rs As Stream = req.GetRequestStream() rs.Write(bytedata, 0, bytedata.Length) rs.Close() Dim res As HttpWebResponse = DirectCast(req.GetResponse(), HttpWebResponse) Dim sr As Stream = res.GetResponseStream() Dim result As String = String.Empty Dim reader As New StreamReader(sr) result = reader.ReadToEnd If result = "200" Then Response.Redirect(baseURL) Else Response.Write("Error: Token Not Authorized.") End If
The Auth-Token page
If Not Request.Form("token") Is Nothing Then Dim u As BusinessLayer.DataContainer.oUser = Nothing u = BusinessLayer.BusinessObject.GetUserByToken(Request.Form("token")) If u IsNot Nothing Then '-----Set Cookie Dim cookie As HttpCookie = Nothing Dim _CookieId As String = Guid.NewGuid().ToString() & "-" & Guid.NewGuid().ToString() Call BusinessLayer.BusinessObject.UpdateUsersCookieId(_CookieId, u.id) cookie = New HttpCookie("KeepSignedIn") cookie.Values.Add("KeepSignedIn", "True") cookie.Values.Remove("CookieId") cookie.Values.Add("CookieId", _CookieId) cookie.Expires = Now.AddYears(1) Response.Cookies.Add(cookie) '--------------- Response.Write("200") End If End If
Please advise on how to get the Auth-Token page to save it's cookies to the file system. Is it a cross-domain issue? How else would you go about this?
I should also note that if I login from the site directly, not using the token page, the forms authentication works using the cookie. I've used this code for years. I'm certain it is not an issue with that. The cookie is just not there to authentication against when using the token-auth page.