Mono Support How to login a user by passing credentials encrypted on the querystring (Closed)

Viewed 18950 time(s), 7 post(s), 2/2/2012 2:53:27 PM - by AndyDerrick
2/2/2012 2:53:27 PM
30 Reputation 4 Total posts

Hi, we have another web app running on a subdomain, users login to this system then we wish to redirect them off to MonoX, passing encrypted credentials that match existing accounts within MonoX (so they get automatically logged on without having to go through another login procedure). I have looked at the API reference and cannot see methods that allow a username and password to be passed to create a valid login. Can you point me in the right direction?

1
2/2/2012 3:52:57 PM
15993 Reputation 2214 Total posts

Hi,

the best approach here would be to redirect the MonoX membership system to your app running on the sub-domain and then implement Single Sign-On. Please take a look at the following articles and get back to us if you have any other questions:

Single Sign-On Enterprise Security for Web Applications
Single sign-on across multiple applications in ASP.NET

Regards

2
2/2/2012 5:11:40 PM
7207 Reputation 956 Total posts

In addition to what Kristijan said, the best approach for this type of scenarios relies on the provider infrastructure: this post has more details.
However, if your applications are running on different servers, or for any other reason, you might want to try passing encrypted credentials via URL. This approach has its security shortcommings, but anyhow, here is some sample code.

UrlParams are used in MonoX to achieve stong typing when working with query parameters:

//Have following parameters in the UrlParams class
public static class UrlParams
{
      public static readonly UrlParam<string> Token = new UrlParam<string>("token");
      public static readonly UrlParam<string> AutoRegisterUserName = new UrlParam<string>("uid");
      public static readonly UrlParam<bool?> CreatePersistentCookie = new UrlParam<bool?>("cpc");
}

Something like this would go to your login screen:

//Handle the LoggingIn event in the Login module
public class Login : MonoSoftware.MonoX.Pages.Login
{
      protected override void OnInit(EventArgs e)
      {
            base.OnInit(e);
            ctlLogin.LoggingIn += new System.Web.UI.WebControls.LoginCancelEventHandler(ctlLogin_LoggingIn);
      }
 
      void ctlLogin_LoggingIn(object sender, System.Web.UI.WebControls.LoginCancelEventArgs e)
      {
            if (Membership.ValidateUser(ctlLogin.UserName, ctlLogin.Password))
            {
                  string redirectUrl = String.Format("http://{0}", CrossDomainAutoLoginPageUrlGoesHere
                        .Append(UrlParams.Token, HttpUtility.UrlEncode(DESExtension.Encrypt(DateTime.Now.Ticks.ToString())))
                        .Append(UrlParams.AutoRegisterUserName, HttpUtility.UrlEncode(DESExtension.Encrypt(ctlLogin.UserName)))
                        .Append(UrlParams.CreatePersistentCookie, ctlLogin.RememberMeSet)
                  );
 
                  string redirectScript = String.Format("$(document).ready(function() {{ $(location).attr('href','{0}'); }});", redirectUrl);
                  MonoSoftware.MonoX.Utilities.JavascriptUtility.RegisterStartupScript(this, this.GetType(), String.Format("{0}_redirectScript", MonoSoftware.MonoX.ApplicationSettings.ApplicationTitle), redirectScript, true);
 
                  e.Cancel = true;
            }
      }
}


And finally, the most important piece - overriden MonoX login page with the method below that checks for credentials and performs login if everything is OK. Note that your request should have a short expiration time (5 secs in this example), to prevent possible security problems.

protected override void OnInit(EventArgs e)
{
      base.OnInit(e);
 
      if (UrlParams.AutoRegisterUserName.HasValue)
      {
            if (!UrlParams.Token.HasValue)
            {
                  throw new SecurityException();
            }
            TimeSpan timeSpan = new TimeSpan(Math.Abs(long.Parse(DESExtension.Decrypt(UrlParams.Token.Value))) - DateTime.Now.Ticks);
            //Token valid for 5 seconds
            if (timeSpan.TotalSeconds > 5)
            {
                  throw new SecurityException();
            }
            //Auto login
            FormsAuthentication.SetAuthCookie(DESExtension.Decrypt(UrlParams.AutoRegisterUserName.Value), UrlParams.CreatePersistentCookie.Value.GetValueOrDefault());
            //Redirect to home page of the current domain (the one that the user have just been logged into)
            Response.Redirect("~");
      }
}

3
2/8/2012 7:39:33 AM
30 Reputation 4 Total posts

Hi Denis,

Thanks for your post, this sounds just what i want to implement, I will try what you suggest.

Thanks Andy

4
2/6/2012 7:28:49 AM
30 Reputation 4 Total posts

Hi Denis,

I cannot find the method ValidateUser in the Membership class, the only ValidateUser that I can find in the api documentation is Metaweblog.ValidateUser, I have tried extending this class but it keeps returning false, could you possible point me in the right direction on where the method Membership.ValidateUser is exposed.

Thanks Andy

5
2/6/2012 11:44:35 AM
7207 Reputation 956 Total posts

This is a standard method from the System.Web.Security.Membership class: http://msdn.microsoft.com/en-us/library/system.web.security.membership.validateuser.aspx

6
2/7/2012 6:23:11 AM
30 Reputation 4 Total posts

HI Denis, I just assumed it was a MonoX class, makes sense now. Made the changes and brilliant, all works as expected thanks for your help

7
This is a demo site for MonoX. Please visit Mono Software for more info.