Home/ Questions/Q 6892017
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T06:28:56+00:00

Big picture: I have been asked to create a search engine for our company’s

  • 0

Big picture: I have been asked to create a search engine for our company’s intranet. Such a search engine will crawl pages supplied to it by XML files for each independent application on the intranet. Problem is, the entire intranet is using Forms Authentication, and so the crawler will have to have access to each application without actually having user credentials (e.g. username and password).

Each application within the intranet has its access controlled by a permission manager, which is essentially a wrapper on the default Role Manager ASP.NET comes with. Each application can define its own roles and assign people who have those roles.

Please note that there are potentially hundreds of applications.

The crawler has access to the permission manager’s database, so it knows what all the roles are. Therefore my idea was to have the crawler create a cookie that identifies it as having all roles for each application.

The problem I’m running into is this: how do I create a forms authentication cookie which already has the roles assigned in it without creating a corresponding user (IPrincipal).

It is entirely possible that I’ve failed to completely understand how Forms Authentication works, and if so, please tell me what I can do differently.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is probably not what you want to hear, but…

    I would just have the crawler authenticate like anyone else.

    Given that this is a crawler you control, why fight Forms Authentication? Seems logical to create a user with all required roles in each application (hopefully you have a central administration point for the hundreds of apps, else I would not want to be an administrator there 😉

    If you do anything that allows “just the crawler” special access (bypass user-based authentication based on… what? The crawler’s user agent? A specific origin IP?), you create a security hole that a hacker can leverage to gain access to all of the intranet applications that have otherwise been diligently secured with user IDs, passwords and roles (in fact, the security hole is particularly wide because you propose granting access to EVERY role in the system).

    • 0