none
Authenticate using query string

    General discussion

  • Hi

    I have the need for the following scenario and I'm not sure how to go about it.

    I have developed a SL application that needs to be executed from a link on a client website.  This client website needs to have seamless authentication as the client doesn't want it's users to have to remember and use further login details.  What they want to do is send some encrypted values in the querystring that the SL application will use to authenticate against the database.

    From what I have researched, it seems like this may be possible?

    But how would I achieve this? 

    Do i need to create a login.aspx pages which receives these parameters and if authentication is passed, redirect to the .aspx hosting the SL application?  Or is there a 'simpler' way?

    Should it be done server side in Global.asax or client side in Application_Startup?

    Any help is much appreciated.

    Thanks

    Wednesday, April 11, 2012 4:33 AM

All replies


  • If you mean only authenticated users can access that link ,   just set a hidden field with the user login status.  This way , you wont have to re -login again.

    It is better if you do it in Application_Startup.

    Inside your silverlight App.xaml, just check whether the user is valid.   
    If not, just display a generic."you must login" message.

    I wrote similar code here (the 3rd post) :  http://social.msdn.microsoft.com/Forums/en-US/silverlightarchieve/thread/c2b7ee9c-399d-4f12-91b3-92ef79ef378f//1?Which+event+to+check+user+name+on+MainPage

    Just set a proper login status  instead of the user name .

    Hope it Helps Laughing

    Wednesday, April 11, 2012 5:51 AM
  • Hi

    Thanks for your reply.

    I'll make sure to have a look at your link.

    One of the variables that is being passed in the querystring is a user identifier which I need to use to retrieve specific data from the DB.  I assume your suggestion is still viable given that fact?

    Thanks

    Wednesday, April 11, 2012 5:54 AM
  • It will be appropriate to do this in Application_startup.

    Check if the following solves your purpose(using assembly System.Windows.Browser):

            HtmlPage.Document.DocumentUri.OriginalString

    You can parse this uri to fetch the parameters passed.

    You may also make use of the following:

            HttpContext.Current.User.Identity.Name

    This gives info about logged in user.

    Regards.

    Sunday, April 15, 2012 12:11 PM
  • Thanks for your responses guys.  I've had a look at the links and managed to come up with two possible solutions.

    Solution 1:

    In App.xaml inside Application_StartUp, get the query string values for the url and pass these to the authentication service.  Simple enough.  What are the security issues with this?

    Solution 2:

    Server side I add an aspx page called login.aspx.  I make this the default page.  Inside my web.config, I add authorization rules that deny access to unauthorised users for the Default.aspx (which hosts the silverlight app) and ClientBin etc.

    So the seperate client site will call my site like so 'http://....../login.aspx?id=Me&Pass=password.  Dont worry it won't be in plain text or anything like that, this is just for illustration.

    In the code behind for login.aspx i do this.  Apologies, it's very very rough, just to get something working.

     

                if (Request.QueryString.Count ==2)
                {
                     string username = null;
                    string password = null;
    
                    if(Request.QueryString["id"] != null)
                        username = Request.QueryString["id"].ToString();
                    if (Request.QueryString["p"] != null)
                        password = Server.UrlEncode(Request.QueryString["p"].ToString());
    
                    if (String.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
                        Response.Redirect("login.aspx", true);
    
                    if (ValidateUser(username, password))
                    {
                        FormsAuthenticationTicket tkt;
                        string cookiestr;
                        HttpCookie ck;
                        tkt = new FormsAuthenticationTicket(1, username, DateTime.Now,
                  DateTime.Now.AddMinutes(10), false, "your custom data");
                        cookiestr = FormsAuthentication.Encrypt(tkt);
                        ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
    
                        ck.Expires = tkt.Expiration;
                        ck.Path = FormsAuthentication.FormsCookiePath;
                        Response.Cookies.Add(ck);
    
                        string strRedirect;
                        strRedirect = Request["ReturnUrl"];
                        if (strRedirect == null)
                            strRedirect = "Default.aspx";
                        Response.Redirect(strRedirect, true);
                    }
                    else
                        Response.Redirect("login.aspx", true);
                }
     
    Can anyone point out the issues with either solution and which they would recommend please?
    Thanks
    Tuesday, April 17, 2012 6:16 AM
  • Any other thoughts?

    Monday, April 23, 2012 10:09 AM