I know this is a bit of a contradiction, but how would one go about keeping authentication like forms turned on for a website, but also allow someone to login using a saved url with information in it?
Currently with our site we can turn on forms authentication to protect direct access from typing in a url, which is great. The problem is certain users to our site are required to bypass the login page by using a url link with their username and password
included. This doesn't work if forms authentication is turned on.
Right now someone would login at http://testsite.com/login.aspx and that would pass them over to http://testsite.com/first/search.aspx
We can send the user a url that contains http://testsite.com/first/search.aspx?username=user&pwd=password and that will log them in and take them right to the search page.
Of course when forms auth is turned on they just get bumped back to the login page. What would be the correct way to possibly remedy this situation? I've added a cookie string, but was unsure if that could be passed directly in the url along with the login
information.
but also allow someone to login using a saved url with information in it?
You should never rely on URL for authentication.
veekay
The problem is certain users to our site are required to bypass the login page by using a url link with their username and password included.
User Name and password in URL is big NO. Alternatively you can create an authentication cookie which never expire and that should work.
If you want only this, then make your search page redirect to login page with supplied query string if not authenticated then in login page check for user name & password in query string, if exist then validate against db and then your redirection process
will take place to redirect user to search page.
Is that called anything specific so I could find more details about the query string? I'm not a programmer so I'm kind of limping along trying to fix this. I had made an authentication cookie, but had no idea how to pass that in a url.
veekay
Member
55 Points
22 Posts
Secure site login, but allow access through stored url code?
Aug 06, 2012 06:40 PM|LINK
I know this is a bit of a contradiction, but how would one go about keeping authentication like forms turned on for a website, but also allow someone to login using a saved url with information in it?
Currently with our site we can turn on forms authentication to protect direct access from typing in a url, which is great. The problem is certain users to our site are required to bypass the login page by using a url link with their username and password included. This doesn't work if forms authentication is turned on.
Right now someone would login at http://testsite.com/login.aspx and that would pass them over to http://testsite.com/first/search.aspx
We can send the user a url that contains http://testsite.com/first/search.aspx?username=user&pwd=password and that will log them in and take them right to the search page.
Of course when forms auth is turned on they just get bumped back to the login page. What would be the correct way to possibly remedy this situation? I've added a cookie string, but was unsure if that could be passed directly in the url along with the login information.
CPrakash82
All-Star
18152 Points
2830 Posts
Re: Secure site login, but allow access through stored url code?
Aug 07, 2012 12:50 AM|LINK
You should never rely on URL for authentication.
User Name and password in URL is big NO. Alternatively you can create an authentication cookie which never expire and that should work.
If you want only this, then make your search page redirect to login page with supplied query string if not authenticated then in login page check for user name & password in query string, if exist then validate against db and then your redirection process will take place to redirect user to search page.
veekay
Member
55 Points
22 Posts
Re: Secure site login, but allow access through stored url code?
Aug 07, 2012 06:32 PM|LINK
Is that called anything specific so I could find more details about the query string? I'm not a programmer so I'm kind of limping along trying to fix this. I had made an authentication cookie, but had no idea how to pass that in a url.
CPrakash82
All-Star
18152 Points
2830 Posts
Re: Secure site login, but allow access through stored url code?
Aug 07, 2012 10:30 PM|LINK
There are couple of article on MSDN for this, this should give your good start.
http://msdn.microsoft.com/en-us/library/ff647070.aspx