Previous Thread

6/19/2006 10:28:55 AM    Remote logon page like Microsoft passport
Hi, 
 
Our company has a database of users that we use to authenticate users on 
 
various websites. 
 
However, some of our customers want to develop a website on their own and 
 
use the same database authenticate users. 
 
At first I was thinking to create a WebService that accepts username & 
 
password and returns if it's valid or not. But it is *very* important that 
 
our customers don't know the password of these users. Because our customers 
 
could "log" the data send to the webservice, this is obviously not a good 
 
idea. 
 
So I guess what we need is a system like Microsoft passport where the user 
 
gets redirected to another website to logon and returns to the original url 
 
afterwards. 
 
What would be the best way to communicate between urls? It should be easy to 
 
implement and yet secure. 
 
Steven 
 
- - -



6/19/2006 1:31:32 PM    Re: Remote logon page like Microsoft passport
you can always do this: 
 
Client Web Form should have the action form using POST method to your page 
 
in your server with 2 forms (user and pwd) and 2 hidden inputs ( clientID 
 
and PostBackURL ) 
 
your page accepts by POST the clientID and check if there's a correct 
 
clientID to use your function, if ok accept user and pwd, and get true or 
 
false, and redirect again to PostBackURL 
 
************************************* 
 
or have the same, but the LOGIN page is in your server and you only accept, 
 
ClientID and PostBackURL [or only ClientID and from the DB you know where to 
 
redirect the user after a good authentication] 
 
using this they never know username/pwd from your own clients 
 
************************************* 
 
.... did I miss anything? 
 
hope the idea is exactly what you need... 
 
-- 
 
Bruno Alexandre 
 
(a Portuguese in Københanv, Danmark) 
 
"Steven Spits" <nospam@company.com> escreveu na mensagem 
 
news:e35JSo3kGHA.4816@TK2MSFTNGP05.phx.gbl...

6/19/2006 2:19:02 PM    Re: Remote logon page like Microsoft passport
Bruno, 
 
This way would allow the client to log input before sending it to us. So no, 
 
not a good idea. 
 
This is what I meant when saying "like Microsoft passport". But I'm still 
 
not sure how to make it secure? 
 
For example, how do I test in PostBackURL that the user was authenticated 
 
using *our* login page? Using parameters 
 
("http://ClientServer/WebApp/Validated.aspx?UserID=12345") would be 
 
insecure, unless both parties write some code to check if the querystring is 
 
not tampered with (like 
 
http://aspnet.4guysfromrolla.com/articles/083105-1.aspx). But I want 
 
implementation to be as easy as possible so I'm not sure this is the way to 
 
go... 
 
Steven 
 
- - -

6/19/2006 2:36:03 PM    Re: Remote logon page like Microsoft passport
steve that's why I told you to use POST instead of GET 
 
POST does not give values in the URL Address... on GET 
 
Web Client Application: 
 
<form name="myform" id="myform" method="POST" 
 
action="www.yourserver.com/loginpage.aspx"> 
 
<input type="hidden" 
 
value="http://www.ClientWebServer.com/user/default.aspx" name="PostBackURL" 
 
/> 
 
<input type="hidden" value"iux876xj" name="CLientID" /> 
 
<a href="#" onclick="document.myform.submit();">Please click here to 
 
login</a> 
 
</form> 
 
******************************************************************** 
 
Your loginpage.apx in you server 
 
<% 
 
Protected Sub Page_Load(ByVal sender As Object, ByVal e As 
 
System.EventArgs) 
 
Dim sClientID as String = request("ClientID") 
 
if sClientID isnot nothing then 
 
if validateClientID( sClientID ) then 
 
' everything is ok, let's show the login page to the 
 
user, but before let's keep the PostBackURL 
 
session("RedirectTo") = request("PostBackURL") 
 
else 
 
' the clientID does not EXIST redirect the user with an 
 
error 
 
response.redirect("http://www.ClientWebServer.com/user/default.aspx?error=1", 
 
true ) 
 
end if 
 
end if 
 
End Sub 
 
Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As 
 
System.EventArgs) 
 
' imagine this is the event when the user click the LOGIN button 
 
in this page 
 
dim sUser as string = fUser.text.tostring 
 
dim sPwd as string = fPwd.text.tostring 
 
if validateUser(sUser, sPwd) then 
 
response.redirect( session("PostBackURL"), true) 
 
else 
 
myErrorLabel.Text = "Invalid Username/Password!" 
 
end if 
 
End Sub 
 
%> 
 
got it?... 
 
if you still have doubts, send me an email (bruno.in.dk@gmail.com) and I 
 
will send you 2 pages with this working. 
 
-- 
 
Bruno Alexandre 
 
(a Portuguese in Københanv, Danmark) 
 
"Steven Spits" <nospam@company.com> escreveu na mensagem 
 
news:uWZSro5kGHA.3512@TK2MSFTNGP03.phx.gbl...

6/19/2006 3:00:58 PM    Re: Remote logon page like Microsoft passport
"Bruno Alexandre" wrote: 
 
There is no difference in using POST or GET. Both can be tampered with. 
 
I think you misunderstood me. The QueryString I used as an example is the 
 
one *after* validation. Like this one on your code: 
 
I want to return to the client WHO was authenticated. And I also want to 
 
make sure in "PostBackURL" that the user was actually validated and didn't 
 
typed that URL directly in his browser. 
 
I appreciate your help...! 
 
Steven 
 
- - -

6/19/2006 3:30:08 PM    Re: Remote logon page like Microsoft passport
You can temper the Passport URL's... but what's the point? you will not be 
 
validated! 
 
sincerelly I thing you are putting too much in a really simple thing! 
 
you problem is the username and password (as in Passport) and that YOU CAN 
 
NOT temper as I told you! 
 
soon you are login in your client could set a session to true and only show 
 
the postbackurl page if the sessionID is the same that you can send him 
 
back, for example... 
 
like: 
 
http://www.ClientWebServer.com/user/iuqwqwe7098709870qweyoqywe/default.aspx 
 
and youre client must use redirect em asp.net to show the content, that's 
 
called URL Mapping 
 
in the HOW DO I: Microsoft Video Series, you have this in the Tips & Tricks 
 
VIDEO (this particulary part stars at 14.05'') 
 
http://msdn.microsoft.com/asp.net/learning/learn/newtodevelopment/default.aspx 
 
-- 
 
Bruno Alexandre 
 
(a Portuguese in Københanv, Danmark) 
 
"Steven Spits" <nospam@company.com> escreveu na mensagem 
 
news:ehQgRA6kGHA.896@TK2MSFTNGP04.phx.gbl...

6/19/2006 4:17:17 PM    Re: Remote logon page like Microsoft passport
"Bruno Alexandre" wrote: 
 
We are clearly talking about something else. 
 
Like I said before twice, *AFTER* validation I want to return to the calling 
 
webserver and indicate WHO logged on. Tampering with this information (POST 
 
or GET doesn't matter) has a very good point because I can fool the 
 
webserver I got validated correctly as someone else! 
 
One can never put enough effort in security. 
 
The validation itself happens on my server, so I'm not afraid of any 
 
tampering here... 
 
....not sure what you mean here? How can a SessionID help me? We're talking 
 
different servers here. 
 
I'm familiar with url mapping, but I'm not sure how this is going to help 
 
me? Url mapping is just another way to send parameters, only less visible to 
 
the user. 
 
Steven 
 
- - -