Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.

Mono Support How to login a user by passing credentials encrypted on the querystring (Closed)

Viewed 1028 time(s) , 7 post(s). 4 month(s) ago by AndyDerrick

Back to all discussion topics

30 Reputation

4 Total posts

This content has not been rated yet.

AndyDerrick 4 month(s) ago

Hi, we have another web app running on a subdomain, users login to this system then we wish to redirect them off to MonoX, passing encrypted credentials that match existing accounts within MonoX (so they get automatically logged on without having to go through another login procedure). I have looked at the API reference and cannot see methods that allow a username and password to be passed to create a valid login. Can you point me in the right direction?

8100 Reputation

1122 Total posts

This content has not been rated yet.

khorvat 4 month(s) ago

Hi,

the best approach here would be to redirect the MonoX membership system to your app running on the sub-domain and then implement Single Sign-On. Please take a look at the following articles and get back to us if you have any other questions:

Single Sign-On Enterprise Security for Web Applications
Single sign-on across multiple applications in ASP.NET

Regards

5910 Reputation

724 Total posts

This content has not been rated yet.

denis 4 month(s) ago

In addition to what Kristijan said, the best approach for this type of scenarios relies on the provider infrastructure: this post has more details.
However, if your applications are running on different servers, or for any other reason, you might want to try passing encrypted credentials via URL. This approach has its security shortcommings, but anyhow, here is some sample code.

UrlParams are used in MonoX to achieve stong typing when working with query parameters:

//Have following parameters in the UrlParams class

public static class UrlParams

{

public static readonly UrlParam<string> Token = new UrlParam<string>("token");

public static readonly UrlParam<string> AutoRegisterUserName = new UrlParam<string>("uid");

public static readonly UrlParam<bool?> CreatePersistentCookie = new UrlParam<bool?>("cpc");

}

Something like this would go to your login screen:

//Handle the LoggingIn event in the Login module

public class Login : MonoSoftware.MonoX.Pages.Login

{

protected override void OnInit(EventArgs e)

{

base.OnInit(e);

ctlLogin.LoggingIn += new System.Web.UI.WebControls.LoginCancelEventHandler(ctlLogin_LoggingIn);

}

void ctlLogin_LoggingIn(object sender, System.Web.UI.WebControls.LoginCancelEventArgs e)

{

if (Membership.ValidateUser(ctlLogin.UserName, ctlLogin.Password))

{

string redirectUrl = String.Format("http://{0}", CrossDomainAutoLoginPageUrlGoesHere

.Append(UrlParams.Token, HttpUtility.UrlEncode(DESExtension.Encrypt(DateTime.Now.Ticks.ToString())))

.Append(UrlParams.AutoRegisterUserName, HttpUtility.UrlEncode(DESExtension.Encrypt(ctlLogin.UserName)))

.Append(UrlParams.CreatePersistentCookie, ctlLogin.RememberMeSet)

);

string redirectScript = String.Format("$(document).ready(function() {{ $(location).attr('href','{0}'); }});", redirectUrl);

MonoSoftware.MonoX.Utilities.JavascriptUtility.RegisterStartupScript(this, this.GetType(), String.Format("{0}_redirectScript", MonoSoftware.MonoX.ApplicationSettings.ApplicationTitle), redirectScript, true);

e.Cancel = true;

}

And finally, the most important piece - overriden MonoX login page with the method below that checks for credentials and performs login if everything is OK. Note that your request should have a short expiration time (5 secs in this example), to prevent possible security problems.

protected override void OnInit(EventArgs e)

{

base.OnInit(e);

if (UrlParams.AutoRegisterUserName.HasValue)

{

if (!UrlParams.Token.HasValue)

{

throw new SecurityException();

}

TimeSpan timeSpan = new TimeSpan(Math.Abs(long.Parse(DESExtension.Decrypt(UrlParams.Token.Value))) - DateTime.Now.Ticks);

//Token valid for 5 seconds

if (timeSpan.TotalSeconds > 5)

{

throw new SecurityException();

}

//Auto login

FormsAuthentication.SetAuthCookie(DESExtension.Decrypt(UrlParams.AutoRegisterUserName.Value), UrlParams.CreatePersistentCookie.Value.GetValueOrDefault());

//Redirect to home page of the current domain (the one that the user have just been logged into)

Response.Redirect("~");

}

30 Reputation

4 Total posts

This content has not been rated yet.

AndyDerrick 4 month(s) ago

Hi Denis,

Thanks for your post, this sounds just what i want to implement, I will try what you suggest.

Thanks Andy

30 Reputation

4 Total posts

This content has not been rated yet.

AndyDerrick 4 month(s) ago

Hi Denis,

I cannot find the method ValidateUser in the Membership class, the only ValidateUser that I can find in the api documentation is Metaweblog.ValidateUser, I have tried extending this class but it keeps returning false, could you possible point me in the right direction on where the method Membership.ValidateUser is exposed.

Thanks Andy

5910 Reputation

724 Total posts

This content has not been rated yet.

Answer

denis 4 month(s) ago

This is a standard method from the System.Web.Security.Membership class: http://msdn.microsoft.com/en-us/library/system.web.security.membership.validateuser.aspx

30 Reputation

4 Total posts

This content has not been rated yet.

AndyDerrick 4 month(s) ago

HI Denis, I just assumed it was a MonoX class, makes sense now. Made the changes and brilliant, all works as expected thanks for your help