IIS http request authentication issue

1
votes

I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. I have two IIS web site, site A and site B. When user request url http://sitea/abc.aspx, my ASP.Net code handler will authenticate user (using Forms authentication), and if authenticaiton passed, I will redirect user to http://siteb/bcd.aspx.

My current issue is, some users will access http://siteb/bcd.aspx directly to skip the authentication process of sitea. This is not what I want since I want to ensure all users who access http://siteb/bcd.aspx authenticated.

My question is, what is the easy solution to solve the issue when user will access siteb directly to skip authentication?

2
c#asp.net.netiisvisual-studio-2008

2 Answers

1
votes

My thoughts on this...

  • Disallow anonymous access to both the site
  • Since you are using forms authentication set the loginurl appropriately.
  • If a user access http://sitseb/bcd.aspx directly, since anonymous access is disallowed it will be redirected to the respective login URL.

Do let me know if you need any further clarification.

A similar solution is presented here..

Multiple site authentication with asp.net

NOTE: IF need be, the forms authentication cookie domain should be set to "*.yourdomain.com" so that the same cookie can be used for both the site.

1
votes

On siteb you can restrict access to the ip address of sitea.

In IIS Manager

Click the Directory Security or File Security tab, and then do one of the following:

in the IP address and domain name restrictions section, click Edit.

Click Granted access or Denied access. When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access.

Click Add, and then click Single computer.

Click DNS Lookup to search for computers or domains by name, rather than by IP address.

Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.