Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Basics
|
ASP.NET 2.0 Basics If you are new to ASP or ASP.NET programming with version 2.0, this is the forum to begin asking questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 17th, 2007, 05:15 PM
Registered User
 
Join Date: May 2007
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Passing credentials from one site to another

I am making an ASP.NET member portal using C# I have a fellow friend that has his own portal, and he wants to have access to one of the pages in my portal. Is there any way I can give him a link that will pass his users through to that page without having them login again?

 
Old May 17th, 2007, 05:47 PM
Wrox Author
 
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Not easily. Session variables can not be passed across domains and, futhermore, you can not read cookies created outside of your domain. You could, of course, pass the credientials along via the query string which then exposes that information in clear text to anyone so that is not a very secure nor viable option.

Peter, Imar, or Gonzalo might have a suggestion but I am at a loss for any secure method for doing this.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 
Old May 17th, 2007, 07:04 PM
Registered User
 
Join Date: May 2007
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you. Do you think you can point me in the direction where I can learn more? Is there a way to have the password encrypted in the link?

 
Old May 17th, 2007, 08:15 PM
Wrox Author
 
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

I really need to stress that you DONT want to do this. Even if you encrypt the password you are still sending it via query string and is a potential security hole. Here is why.

www.domain.com/ref.aspx?un=foo&pw=######

where ##### is the hashed or encrypted password. Now inside your script you might call a function to decrypt the password or, in the case of an MD5 hash, you are just going to compare it against your database to make sure it matches. Either way, I could still steal these query string values and log into your site as anyone void of any authentication.

By doing it this way, you make the assumption that the user is coming from your friends website which may not entirely be the case.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 
Old May 17th, 2007, 10:23 PM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 2,189
Thanks: 5
Thanked 59 Times in 57 Posts
Send a message via MSN to gbianchi
Default

this is not a secure idea (in fact i don't recommend this) but you can encrypt all the data in the query string including a lot of trash in the middle to make it hard to detect.. by all I mean even the parameters name...
But i don't get something, if your site needs to have a user login, and his site use a login system too, how will you share it?? if I subscribe myself to one I'm automatic subscribed to the other?? or the password is only to allow your friend to see your page?? maybe is better is you just write a web server and get him the info is looking for????

HTH

Gonzalo

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from dparsons signature and he Took that from planoie's profile
================================================== =========
My programs achieved a new certification (can you say the same?):
WORKS ON MY MACHINE
http://www.codinghorror.com/blog/archives/000818.html
================================================== =========
I know that CVS was evil, and now i got the proof:
http://worsethanfailure.com/Articles...-Hate-You.aspx
================================================== =========
 
Old May 17th, 2007, 10:29 PM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

You could use a web service to handle a background authentication "handshake" between the two systems.

Background handshake:
- User is authenticated on site A and wishes to go to site B.
- Site A calls the web service on site B, passing the user's credentials.
- Web service on site B verifies the user's credentials, and creates a token (perhaps a GUID) which it puts somewhere semi-permanent. You can't use the session, because that's user specific. The data could certainly go into a database or into a application scope collection (perhaps the web cache). It would probably also be important to include a short duration timestamp with the token to allow only a short window for transfer. This interaction is happening server-to-server so a user can't see any sensitive data.

The handoff:
- Site A gets back the token from site B's web service.
- Site A redirects the browser to Site B, passing the token in the URL.
- Site B validates the token against it's "active tokens" list to verify a legitimate handoff.
- Site B automatically logs the user on using the credentials stored with the original token at site B.

Now granted, this still doesn't get us around the problem of taking a handoff URL and using it elsewhere (apart from the limited time window of handoff). But I think that short of reverse engineering how Microsoft Passport/Live (or whatever they are calling it these days) works, you have to sacrifice some security for convenience.

An easier way of at least protecting the sensitive information from being easily harvested off the querystring is to put it into a form and post it to the other site.

-Peter
 
Old May 18th, 2007, 07:17 AM
Wrox Author
 
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Peter,
   Thats an awesome solution, kudos ^^

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 
Old May 20th, 2007, 01:57 PM
Registered User
 
Join Date: May 2007
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Peter,

  I agree. Thanks to everyone for all the help!!

Thanks again,
-GW

 
Old May 20th, 2007, 02:05 PM
Registered User
 
Join Date: May 2007
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

 
Quote:
quote:An easier way of at least protecting the sensitive information from being easily harvested off the querystring is to put it into a form and post it to the other site.


Is there a way of doing this without having the user enter the login info? Like having the credentials saved in away that a connection string is saved, and when the user clicks the link the info is posted from site A to site B.

Im still a bit new to ASP .NET so im not sure what can and cannot be done.

Thanks again.

 
Old May 21st, 2007, 09:40 AM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

I'm not sure I understand what you are asking. How is this different than what I suggested above?

Or are you asking how to save the credentials so the user doesn't have to log in every time? This would be the "remember me" functionality that a lot of sites have. You just save the user identity in a cookie and automatically log on the user when they hit the site.

-Peter





Similar Threads
Thread Thread Starter Forum Replies Last Post
Passing more than one querystring in the site map kaushikpulpa ASP.NET 2.0 Basics 1 April 20th, 2007 08:08 AM
Regarding credentials Jayapradha .NET Framework 1.x 0 November 7th, 2006 06:42 AM
Determine Credentials bmumph C# 2 November 1st, 2005 12:18 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.