Blog Objective

This is a blog that attempts to make life easier by noting down the author's accrued knowledge and experiences.
The author has dealt with several IT projects (in Java EE and .NET) and is a specialist in system development.

22 August 2012

National Do-Not-Call Registry (Singapore)

Tags: ,
Information regarding the proposed National DNC registry can be found here.
The DNC registry allows individuals to opt-out of marketing messages in the forms of email, SMS/ MMS, faxes, phone-call.
A message is regarded as a marketing message as long as it is determined that part of the message has a purpose which is marketing in nature as defined.
Messages that are marketing in nature if one of the purposes of the message is:
  1. to offer to supply, advertise or promote goods or services, the suppliers or prospective suppliers of goods and services
  2. to supply, advertise or promote land, interests in land, business or investment opportunities
Print Friendly and PDF
Links to this post 0 comments

10 August 2012

Poor Man's SSO with Multiple ASP.NET Web Applications

Tags: ,
It is quite straightforward to have (poor man's) single sign-on for multiple ASP.NET web applications without sourcing for an enterprise solution.

Based on the following premise:
  1. assuming the web applications are in the same domain 
  2. forms or custom authentication is used for the web application
In order to have things work, a couple of steps are required, namely:
  1. Enable Forms authentication for the relevant web applications, use:
    <authentication mode="Forms">
  2. Ensure that the validationKey and decryptionKey settings (under the machineKey element) are not auto-generated but are explicitly coded and shared across the relevant web applications (and web farm, if applicable).
    1. For IIS6, you can use this website to generate the keys
    2. For IIS7+, you can use IIS Manager to do so.
  3. Customise the name of the cookie (instead of the default .ASPXAUTH) but more importantly, set the cookie path to the default root "/" and the domain to a valid one, use:
    <forms name=".PoorMan.SSO" domain="?" path="/" requireSSL="true|false" timeout="30slidingExpiration="true|false" protection="All" />
  4. To determine if the user is authenticated, use: HttpContext.Current.User.Identity.IsAuthenticated
  5. To determine the identity of the authenticated user, use:  HttpContext.Current.User.Identity.Name
  6. To set the Session cookie after the custom authentication is successful, use: FormsAuthentication.RedirectFromLoginPage(username, false);
  7. To log-off the user, use FormsAuthentication.SignOut();
  8. Due to breaking changes in .NET 4.0, for mixed-mode deployment using different CLRs (i.e. CLR 2.0 and CLR 4.0), the machineKey needs to use the same (older) validation algorithm. CLR 2.0 uses HMACSHA1 while CLR 4.0 uses HMACSHA256. Use:
    <machineKey validation="SHA1">
Additional resources (often outdated) can be found:
  1. ASP.NET blog
  2. CodeProject
  3. Some product support pages
  4. MSDN site for forms element in Web.config
Print Friendly and PDF
Links to this post 0 comments
Subscribe to: Posts (Atom)