Here’s the setup:
1. Front end web site, Forms Authentication
2. Back end web services (probably WCF), on a different network with HTTPS enabled.
So the code for the front end retrieves data through these back end web services.
The back end web service itself needs user requests to be authenticated. The back end web service isn’t just going to hand out data to the front end service trusting that it’s OK.
So how is this done? Right now the only thing that comes to mind is during login, store the password in the UserData field of the encrypted forms auth cookie so that future requests can use it to access the back end. But boy does that feel icky.
This seems like the sort of setup that would be very common, yet I can’t find any good ideas from googling.
Note that the front end will be an MVC application, though I don’t think MVC/Web Forms would matter — any solution would probably work just fine for both.
Crickets from the audience……..
The strategy I’ve decided to go with is the following:
Upon login, the front end web site creates the normal forms authentication ticket. It also calls a backend web service login function which will also implement forms authentication. The ASPXAUTH cookie returned by the backend web service will be stored in the UserData property of the frontend forms authentication cookie.
So now, when the frontend needs to call a backend method, it has the backend forms authentication cookie stored in the UserData of the frontend forms authentication ticket. It can attach that to the WCF HTTP call for authentication.
The biggest danger I can see is that the session timeouts can get offset from one another, particularly if the user browses around some pages on the frontend that don’t require backend calls. In that case, the sliding timer will reset on the frontend but not on the backend. The best counter to that I can think of is to have all requests to the front end call a Ping() method on the backend if they’re actively logged in.
Anybody see any holes to poke in this strategy?