I am making an ASP.NET member portal using C# I have a fellow friend that has his own portal, and he wants to have access to one of the pages in my portal. Is there any way I can give him a link that will pass his users through to that page without having them login again?

Not easily. Session variables can not be passed across domains and, futhermore, you can not read cookies created outside of your domain. You could, of course, pass the credientials along via the query string which then exposes that information in clear text to anyone so that is not a very secure nor viable option.

Peter, Imar, or Gonzalo might have a suggestion but I am at a loss for any secure method for doing this.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

Thank you. Do you think you can point me in the direction where I can learn more? Is there a way to have the password encrypted in the link?

I really need to stress that you DONT want to do this. Even if you encrypt the password you are still sending it via query string and is a potential security hole. Here is why.

www.domain.com/ref.aspx?un=foo&pw=######

where ##### is the hashed or encrypted password. Now inside your script you might call a function to decrypt the password or, in the case of an MD5 hash, you are just going to compare it against your database to make sure it matches. Either way, I could still steal these query string values and log into your site as anyone void of any authentication.

By doing it this way, you make the assumption that the user is coming from your friends website which may not entirely be the case.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

this is not a secure idea (in fact i don't recommend this) but you can encrypt all the data in the query string including a lot of trash in the middle to make it hard to detect.. by all I mean even the parameters name...
But i don't get something, if your site needs to have a user login, and his site use a login system too, how will you share it?? if I subscribe myself to one I'm automatic subscribed to the other?? or the password is only to allow your friend to see your page?? maybe is better is you just write a web server and get him the info is looking for????

HTH

Gonzalo

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from dparsons signature and he Took that from planoie's profile
================================================== =========
My programs achieved a new certification (can you say the same?):
WORKS ON MY MACHINE
http://www.codinghorror.com/blog/archives/000818.html
================================================== =========
I know that CVS was evil, and now i got the proof:
http://worsethanfailure.com/Articles...-Hate-You.aspx
================================================== =========

You could use a web service to handle a background authentication "handshake" between the two systems.

Background handshake:
- User is authenticated on site A and wishes to go to site B.
- Site A calls the web service on site B, passing the user's credentials.
- Web service on site B verifies the user's credentials, and creates a token (perhaps a GUID) which it puts somewhere semi-permanent. You can't use the session, because that's user specific. The data could certainly go into a database or into a application scope collection (perhaps the web cache). It would probably also be important to include a short duration timestamp with the token to allow only a short window for transfer. This interaction is happening server-to-server so a user can't see any sensitive data.

The handoff:
- Site A gets back the token from site B's web service.
- Site A redirects the browser to Site B, passing the token in the URL.
- Site B validates the token against it's "active tokens" list to verify a legitimate handoff.
- Site B automatically logs the user on using the credentials stored with the original token at site B.

Now granted, this still doesn't get us around the problem of taking a handoff URL and using it elsewhere (apart from the limited time window of handoff). But I think that short of reverse engineering how Microsoft Passport/Live (or whatever they are calling it these days) works, you have to sacrifice some security for convenience.

An easier way of at least protecting the sensitive information from being easily harvested off the querystring is to put it into a form and post it to the other site.

-Peter

Peter,
   Thats an awesome solution, kudos ^^

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

Peter,

  I agree. Thanks to everyone for all the help!!

Thanks again,
-GW

 

Is there a way of doing this without having the user enter the login info? Like having the credentials saved in away that a connection string is saved, and when the user clicks the link the info is posted from site A to site B.

Im still a bit new to ASP .NET so im not sure what can and cannot be done.

Thanks again.

I'm not sure I understand what you are asking. How is this different than what I suggested above?

Or are you asking how to save the credentials so the user doesn't have to log in every time? This would be the "remember me" functionality that a lot of sites have. You just save the user identity in a cookie and automatically log on the user when they hit the site.

-Peter