Check user identity from cookie
Question asked by Tim Winkelmann - 3/5/2019 at 1:21 AM
Answered
Hi,

I am writing a backend app in another language than ASP.NET (right now NodeJS, but it could be anything).
This app will be hosted on the same domain as SmarterTrack (and on the same machine) and thus will have access to the cookies set by SmarterTrack.

I want to check who is logged in, to enable or disable certain features in my app (your usual security stuff).
This is some sort of Single Sign On, but I don't need anything complex such as a way to create or delete sessions from within my app.

Is it possible from the cookies to determine which user is authenticated ? Maybe by decrypting a cookie with the public key of the server to verify the authenticity of the data ?
If not, how should I go about this ? My project can't work if the user has to provide his credentials again when accessing my platform.

I have found this article, but it requires an ASP.NET backend for some reason.

Best regards
Tim Winkelmann

3 Replies

Reply to Thread
0
Andrew Barker Replied
Employee Post Marked As Answer
Currently, the user authentication information for SmarterTrack is stored in an ASP.NET cookie. This cookie is encoded by .NET, in part for security. Only other properly configured .NET web applications will be able to decode and use this cookie. As far as we are aware, there is currently no way to decode this cookie using NodeJS.

Andrew Barker
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

0
Tim Winkelmann Replied
Hi,

Thanks for your answer.
I'm currently in the process of setting up a simple ASP .NET app to test this.

This article is not really useful for me, is it ? Because, if I understand it correctly, the external login provider is designed to use external credentials (like Active Directory users for example) on the SmarterTrack platform, whereas I want to use SmarterTrack credentials to connect (authenticate) users on my website.

Best regards
0
Andrew Barker Replied
Employee Post
Sharing credentials between SmarterTrack and another site will be most effective if both are using an external provider for authentication. Such a setup allows for all authentication requests from both sites to be run against the same authentication protocols. However, the single sign on configuration described in that KB article does not require an external provider. It is possible to accomplish what you have described without an external provider, but it may be more complicated to do so.

Andrew Barker
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread