Home/ Questions/Q 88261
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T22:31:55+00:00

I implemented OpenID support for an ASP.Net 2.0 web application and everything seems to

  • 0

I implemented OpenID support for an ASP.Net 2.0 web application and everything seems to be working fine on my local machine.

I am using DotNetOpenId library. Before I redirect to the third party website I store the orginal OpenID in the session to use when the user is authenticated (standard practice I believe).

However I have a habit of not typing www when entering a URL into the address bar. When I was testing the login on the live server I was getting problems where the session was cleared. My return url was hard coded as http://www.mysite.com.

Is it possible that switching from mysite.com to www.mysite.com caused the session to switch?

Another issue is that http://www.mysite.com is not under the realm of mysite.com.

What is the standard solution to these problems. Should the website automatically redirect to www.mysite.com? I could just make my link to the log in page an absolute url with containing www? Or are these just hiding another problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Solve the realm problem that you mentioned is easy. Just set the realm to *.mysite.com instead of just mysite.com. If you’re using one of the ASP.NET controls included in the library, you just set a property on the control to set the realm. If you’re doing it programmatically, you set the property on the IAuthenticationRequest object before calling RedirectToProvider().

    As far as the session/cookie problem goes with hopping between the www and non-www host name, you have two options:

    1. Rather than storing the original identifier in the session, which is a bad idea anyway for a few reasons, use the IAuthenticationRequest.AddCallbackArguments(name, value) method to store the user’s entered data and then use IAuthenticationResponse.GetCallbackArgument(name) to recall the data when the user has authenticated.
    2. Forget it. There’s a reason the dotnetopenid library doesn’t automatically store this information for you. Directed identity is just one scenario: If the user types ‘yahoo.com’, you probably don’t want to say to them ‘Welcome, yahoo.com!’ but rather ‘Welcome, id.yahoo.com/andrewarnott’! The only way you’re going to get the right behavior consistently is to use the IAuthenticationResponse.FriendlyIdentifierForDisplay property to decide what to display to the user as his logged in identifier. It gives more accurate information, and is easier than storing a value in the callback and getting it back. 🙂
    • 0