I have two .Net6 web app projects in a single .Net solution (.sln).
The first application (App1) is for user management : this contains features like Login, password reset, my profile, and logout.
the 2nd application (App2) are business application. Based on the user’s login in the first application I need to redirect user to App2 with some parameters that are necessary for using App2.
Here is what I am doing this now:
- User logs in App1, I authenticate credential from DB.
- If valid user, then I fetch the required data from DB and put into dictionary.
- I serialize the dictionary and put into session in App1 for use within App1 (password reset, my profile etc).
- I encrypt it using a secret key.
- I redirect to App2 with the encrypted string as a query string parameter.
- On landing into App2, I decrypt and DE-serialize the query string.
- Finally I push the dictionary values into Session in App2, so that those values are available in all the screens in App2.
So far so good, but,
However, My App2 has 3 links for Edit Profile, and Password Reset and Logout in the navigation toolbar. Unfortunately all these 3 features are developed in App1.
What is an elegant way to handle this? Do I need to redirect back to App1 using the same method?
The password reset and My profile page works fine when I am within App1 (Before redirection to App2).If I redirect to App2, then the session for App1 gets terminated (not sure why).
Also, How do I safely logout so that both App1 and App2 are logged out ?
Just need the guidelines, I will try to write the code myself.
2
Answers
You can use JWT Token to manage Sessions. So you will not need to write authentication info on Db.
You can search on web with this keywords like these
"Jwt token authentication"
"Jwt token using with dotnet core on microservice"
I search a few story on the web as quickly. You can start from these 🙂
https://www.c-sharpcorner.com/article/jwt-json-web-token-authentication-in-asp-net-core/
https://www.c-sharpcorner.com/article/jwt-token-routing-from-gateway-to-multiple-micro-services-in-net-core
Solution 2
If you dont want to use this solution,
You can develop an another service call as MiddlePoint
Now, you have 3 service. App1, App2 and MiddlePoint.
All authentication main function can moved to MiddelePoint from App1 and App2.
For example when you want to logout from App1;
1- Logout Reqest to App1
2- App1 Redirect Logout Request to MiddlePoint
3- Middlepoint execute required functions.
4- Return back to App1
Based on your description and scenario it seems it should work, however, I am not quite sure how have you implemented that.
The main mechanism should be your app1 should share the session Id to your app2 by redirecting the session Id and your app should receive that session Id.
The approach should be as following:
From app1:
In app2:
You should retrieve the session key as following
and finally extract the related session information by that ID. So far you are done up to here based on your description.
Here comes the main challenge, If you want to implement a logout mechanism that doesn’t rely on an external identity provider like identityserver or something like, and you want to use the built-in mechanisms of ASP.NET Core Razor Pages,
you can do so with some custom logic tough, but yeah, you should also consider the security whole.
Keep in mind that the built-in session management in ASP.NET Core is application-specific, and there isn’t a direct mechanism for shared logouts between separate applications without a central identity provider.
However, the main concept is, you need to call a method while logout from one app which also clear the session from both app. At the same time signout method need to be called in either app.
So you would need to call following method in your both app:
Note: Please refer to this official document for knowing better about shared authentication cookies mechanism.