Reg : Forms Authentication

Naresh Ede asked on July 26, 2017 09:20

I have multiple sites running in kentico, All users had permission on all sites.

So if a user login in one site, then the user can log on to all sites automatically.

like once we login google account we can access all domains(youtube,drive,gmail,etc.) without login again and again.

Is it possible to achieve it in kentico by default or we have to go for customization.

Recent Answers

Matt Nield answered on July 26, 2017 12:28

I think you can manage this without any customization, though it has been a while since I've had a similar requirement.

If you checkout this documentation on sharing user accounts between sites, it should help. It makes the assumption that all sites are running on the same kentico instance though. If you're running on onseparate instances, then yes - you will need to start cutting some custom code as far as I am aware. A good place to start looking is the Configuring single sign-on on DevNet

2 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on July 26, 2017 15:22 (last edited on July 26, 2017 15:26)

If you want a user to log into all websites when they authenticate, there is a setting for this in Settings>Security & Membership>Administration>Automatically sign-in user when site changes. If this is checked, it will automatically sign the user in to all sites when they change the site they are logging into as long as that user has access to that site.

I should say, this might only work for the Admin interface and not a regular, non-cms user.

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on July 26, 2017 15:25

The main issue with switching sites and staying logged in is the session that holds their login status is stored in a cookie which is domain specific, so when you go to another domain their session is 'new' to that site and thus they need to sign in.

Along with Matt's recommendation, what we did for another client is created 2 webparts. A "Site Switcher" and a "Auto Login Receiver"

The Site Switcher would, on postback, create a guid and save that user's name along with the guid in a temporary table, with a timestamp. Then it would redirect the user to the other site on the page with the Auto Login Receiver webpart, along with (in the form data) the Guid.

The auto login receiver would check for the guid in the Form Data, and lookup the username on the temp table by Guid, if the record was within say 30 seconds it would use Kentico's API to force log them in, and delete the temporary record.

It was secure enough because the guid (although it was in the Form) it is only usable once and you can't really guess a guid.

This is kind of what Kentico does with it's site switcher tool on the Kentico Admin, if you use it you can be auto-logged into the other site, but if you go to the other site via typing it in the URL you'll be prompted with a username/password login screen.

1 votesVote for this answer Mark as a Correct answer

Peter Mogilnitski answered on July 26, 2017 16:01 (last edited on July 26, 2017 16:11)

I assume we are talking about visitors. If your sites are sub domains of the same domain - it is easy. if you have for example:

mycompany.com 
site1.mycompany.com 
site2.mycompany.com

you just need to issue AUTH cookie for main domain mycompany.com and it will work for all of them. But if you have 

site1.com 
site2.com

this is different story.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.