MonoX support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.

How to login a user by passing credentials encrypted on the querystring (Closed) (Mono Support )

Viewed 11187 time(s), 7 post(s) 2/2/2012 2:53:27 PMby AndyDerrick
AndyDerrick

AndyDerrick

2/2/2012 2:53:27 PM
Hi, we have another web app running on a subdomain, users login to this system then we wish to redirect them off to MonoX, passing encrypted credentials that match existing accounts within MonoX (so they get automatically logged on without having to go through another login procedure). I have looked at the API reference and cannot see methods that allow a username and password to be passed to create a valid login. Can you point me in the right direction?
This content has not been rated yet. 
30 Reputation 4 Total posts
khorvat

khorvat

2/2/2012 3:52:57 PM
Hi,

the best approach here would be to redirect the MonoX membership system to your app running on the sub-domain and then implement Single Sign-On. Please take a look at the following articles and get back to us if you have any other questions:

Single Sign-On Enterprise Security for Web Applications
Single sign-on across multiple applications in ASP.NET

Regards
This content has not been rated yet. 
15993 Reputation 2214 Total posts
denis

denis

2/2/2012 5:11:40 PM

In addition to what Kristijan said, the best approach for this type of scenarios relies on the provider infrastructure: this post has more details.
However, if your applications are running on different servers, or for any other reason, you might want to try passing encrypted credentials via URL. This approach has its security shortcommings, but anyhow, here is some sample code.

UrlParams are used in MonoX to achieve stong typing when working with query parameters:

//Have following parameters in the UrlParams class
public static class UrlParams
{
      public static readonly UrlParam<string> Token = new UrlParam<string>("token");
      public static readonly UrlParam<string> AutoRegisterUserName = new UrlParam<string>("uid");
      public static readonly UrlParam<bool?> CreatePersistentCookie = new UrlParam<bool?>("cpc");
}

Something like this would go to your login screen:

//Handle the LoggingIn event in the Login module
public class Login : MonoSoftware.MonoX.Pages.Login
{
      protected override void OnInit(EventArgs e)
      {
            base.OnInit(e);
            ctlLogin.LoggingIn += new System.Web.UI.WebControls.LoginCancelEventHandler(ctlLogin_LoggingIn);
      }
 
      void ctlLogin_LoggingIn(object sender, System.Web.UI.WebControls.LoginCancelEventArgs e)
      {
            if (Membership.ValidateUser(ctlLogin.UserName, ctlLogin.Password))
            {
                  string redirectUrl = String.Format("http://{0}", CrossDomainAutoLoginPageUrlGoesHere
                        .Append(UrlParams.Token, HttpUtility.UrlEncode(DESExtension.Encrypt(DateTime.Now.Ticks.ToString())))
                        .Append(UrlParams.AutoRegisterUserName, HttpUtility.UrlEncode(DESExtension.Encrypt(ctlLogin.UserName)))
                        .Append(UrlParams.CreatePersistentCookie, ctlLogin.RememberMeSet)
                  );
 
                  string redirectScript = String.Format("$(document).ready(function() {{ $(location).attr('href','{0}'); }});", redirectUrl);
                  MonoSoftware.MonoX.Utilities.JavascriptUtility.RegisterStartupScript(this, this.GetType(), String.Format("{0}_redirectScript", MonoSoftware.MonoX.ApplicationSettings.ApplicationTitle), redirectScript, true);
 
                  e.Cancel = true;
            }
      }
}


And finally, the most important piece - overriden MonoX login page with the method below that checks for credentials and performs login if everything is OK. Note that your request should have a short expiration time (5 secs in this example), to prevent possible security problems.

protected override void OnInit(EventArgs e)
{
      base.OnInit(e);
 
      if (UrlParams.AutoRegisterUserName.HasValue)
      {
            if (!UrlParams.Token.HasValue)
            {
                  throw new SecurityException();
            }
            TimeSpan timeSpan = new TimeSpan(Math.Abs(long.Parse(DESExtension.Decrypt(UrlParams.Token.Value))) - DateTime.Now.Ticks);
            //Token valid for 5 seconds
            if (timeSpan.TotalSeconds > 5)
            {
                  throw new SecurityException();
            }
            //Auto login
            FormsAuthentication.SetAuthCookie(DESExtension.Decrypt(UrlParams.AutoRegisterUserName.Value), UrlParams.CreatePersistentCookie.Value.GetValueOrDefault());
            //Redirect to home page of the current domain (the one that the user have just been logged into)
            Response.Redirect("~");
      }
}

This content has not been rated yet. 
7207 Reputation 956 Total posts
AndyDerrick

AndyDerrick

2/8/2012 7:39:33 AM
Hi Denis,

Thanks for your post, this sounds just what i want to implement, I will try what you suggest.

Thanks Andy
This content has not been rated yet. 
30 Reputation 4 Total posts
AndyDerrick

AndyDerrick

2/6/2012 7:28:49 AM
Hi Denis,

I cannot find the method ValidateUser in the Membership class, the only ValidateUser that I can find in the api documentation is Metaweblog.ValidateUser, I have tried extending this class but it keeps returning false, could you possible point me in the right direction on where the method Membership.ValidateUser is exposed.

Thanks Andy
This content has not been rated yet. 
30 Reputation 4 Total posts
denis

denis

2/6/2012 11:44:35 AM
This is a standard method from the System.Web.Security.Membership class: http://msdn.microsoft.com/en-us/library/system.web.security.membership.validateuser.aspx
This content has not been rated yet. 
7207 Reputation 956 Total posts
AndyDerrick

AndyDerrick

2/7/2012 6:23:11 AM
HI Denis, I just assumed it was a MonoX class, makes sense now. Made the changes and brilliant, all works as expected thanks for your help
This content has not been rated yet. 
30 Reputation 4 Total posts