Here’s the situation: the user is able to sign into a MVC application from another website. That website is not ASP.NET-based. It could be PHP, JSP or Websphere… or anything

I have tried doing this:

 [HttpPost]
 public string RemoteLogOn(string userName, string password)
 {

     if (userName != null && password != null)
     {                  
          if (MembershipService.ValidateUser(userName, password))
          {
               FormsAuthentication.SetAuthCookie(userName, false);
               return "success";

          }
          else
          {
                return "failed";
          }                
      }
      else
      {
           return "failed";
      }    
}

Calling the MVC app at the /RemoteLogOn URI (posting the request using PHP and cURL) works. The “success” string is returned. However, it seems that the cookie is not generated properly – when I returned to the MVC site and check User. Identity.Name, null is returned.

What is the right way to allow user to log in via. a web service?

Edit How do I properly set the returned cookie.

PS. This is just a trial POC; eventually we’ll use SOAP or REST and try to improve the security.

Here’s the PHP code that did the calling

<?php
$url = "http://localhost:54134/Account/RemoteLogOn";
$fields = array(
            "userName" => "asd1234",
            "password" => "****"
        );

 foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string,'&');

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);

//execute post
$result = curl_exec($ch);

echo '<pre>'.print_r($result, true).'</pre>';

//close connection
curl_close($ch);
</php>

Debugging the app shows the user name and password are passed in properly to the MVC side.