how to create and sign-in users automatically?

Topics: Controls
Mar 10, 2010 at 8:08 AM

Sorry if this has been asked before. I saw some related stuff in past posts, but nothing addressing my question specifically.

I have a web site that already has users/logins. I'd like to use BlogEngine essentially as a sub-component of this existing site. When a user registers with my site, I want to automatically create a BlogEngine user so that user has his own blog. When a user logs into or out of my site, I want to automatically log him into and out of BlogEngine. When a logged-in user clicks the "Blog" link on my site, I want to deliver him to his BlogEngine page, already logged in. Speaking more generally, it's like I want to be able to run BlogEngine in a "slave" mode.

Some other postings I saw on this referred to coordinating the SQL Server authentication between the site and BlogEngine, but I'd strongly prefer to stick with the database-less XML mode of BlogEngine if I can. I could experiment, creating users and logging in and out, watching what happens with the XML files, and trying to duplicate the same thing by performing those same file changes myself, but I was hoping to find some documentation on this since I don't want to overlook some detail and I don't want to do something inadvisable (e.g., something that would work with a single user during development but break down with multiple users going simultaneously in production).

Thanks for any help.

Michael

 

Coordinator
Mar 10, 2010 at 7:04 PM

BE uses a cookie when someone is logged in.  You can use the function FormsAuthentication.SetAuthCookie() and FormsAuthentication.SignOut() to manually log in someone and log them off.  SetAuthCookie() will create the cookie.

Two possible approaches would be ...

Idea # 1:  When the person logs into your main site, you redirect the person to the BE site.  You redirect them to a special page, possibly with some query string parameter that tells the page who the person is, and that it should log them in.  This page would use SetAuthCookie(), logging the person in, and then redirect them back to your main site.  This would all be done within 1 second and would be transparent to the user.  Similarly, when the person logs off your site, you can redirect them to the BE site to log them off.

Idea # 2:  You create an HTTP module in BE that checks the traffic coming into BE.  If the person is not logged in, it would check to see if there is a login cookie from the main site.  This assumes the main site and BE are on the same domain where the main site's cookies would be accessible from BE (BE is in a subfolder, or in a subdomain of the main site).  If the HTTP module sees the person is logged off, but determines the person is logged into the main site, then the HTTP module can use SetAuthCookie() to automatically log the person into BE.  And it would do the reverse too ... if it finds the person is logged into BE, but is not logged into the main site, then it would use SignOut().  With this Idea # 2, this process that the HTTP module does only occurs when the person actually comes to BE.  So unlike idea # 1, you are not redirecting the person to BE every time they log in and log out of your main site.

I think idea # 2 is better.  It's less transparent.  The only tricky part here is that the HTTP module needs to be able to recognize and/or possibly decrypt the cookie from your main site.  And I'm assuming your main site is cookie based, rather than it using the old HTTP/browser based security.  The HTTP module also needs to know the username/email address of the BE user when it decides it will log the person in.  This information could be encrypted in a cookie on the parent side, and decrypted in the HTTP module on the BE side.  Or, you could have a web service on the main site, where the HTTP module can call the web service passing the cookie information from the main site, and the web service would tell the HTTP module the username/email address of the user.  BE would then know what username/email address to log the person in under.

Mar 10, 2010 at 7:30 PM

Thanks very much for the detailed reply.