We have done this with asp applications using vbscript, however I have not figured it out with DNN. The DNN application that I am wanting to auto login (generic user account, not unique) is currently using Forms authentication.

I am wondering if we could have a helper page that stored the information that normally would be in the cookie and write it to the url then redirect them to the DNN site with cookie info included.

If anyone has any ideas on this I would like to hear them.

Thanks,
Ron

Ron,

If I understand you correctly, you want to be able to "fake" a login on some page outside of DNN, so that when your visitor does go to DNN, they're already logged in. Is that correct?

I've got a similar, but opposite problem. I'd like to be able to check from an external (ASP) page to see if someone is logged in to DNN. The thought is that only people who are logged into DNN should be able to access the page.

Any ideas from the group? Can I check a cookie? Some session variable? I'm new enough to DNN that I'm not sure how it handles the login process yet...

Bryan

Hi Bryan,

Yeah that is correct, however I wouldn't necc say you are 'faking' the login as there is still authentication going on, in the sense that the creditials being passed will have to exist in DNN.

In the past you could pass credentials via the url such as:

someurl.com/login.asp?strUser=username&strPass=password

However I doubt that you can do this with the signin.ascx as signin.ascx isn't a stand alone page. What I was thinking of doing was making a duplicate signin page but as an aspx that I could then maybe write a sub to look for something in the referring url. The signin.aspx would be called directly from the referring site, and once everything clicked on the new signin.aspx page you could be redirected to default.aspx in dnn. That is my current thinking anyways.

As far as what you are wanting to do Bryan, I would say that the cookie wouldn't be of much use as I don't think that it keeps and maintains a user's logged in status. You could do a McGiver style tweak and use the users online module that does keep all of that info in a nice and tidy page and have your asp page reference that and do a lookup to see if they are logged in.

Just a thought.

-Ron

I think the desktopdefault.aspx could be modified to check for QueryString parameters and perform an AutoLogin. The problem is that the password would be passed in clear text in the URL ( not usually a good idea ). I have implemented systems in the past which used Public Key Encryption to pass a token for this purpose.

Shaun,

Thanks for the response. Being that this is going to be an intranet only system I am not too worried about the password being in the url string, and the content is not sensitive from a security stand point. If those were not factors I would agree that it is NOT a good idea to do and would be suicide to think otherwise.

I didn't think to look initially in the desktopdefault page, but since you mentioned it I see that it is already performing a request.querystring function. I will go from there and start goofing around and see what I can do.

From the looks of it I would probably want to create a function in the AdminDB class like you did for getting the tabid instead of loading up the desktopdefault page with too much code.

I will prob start working on this next week, and anything that I come up with I will gladly post here for others to use/improve.

Wish I was in Canada,
-Ron

Ron, any success or failures you could mention here on your attempts at this? I believe I am in the same situation as you and will be attempting something similar.
J

We've done automatic login in two ways:

1. Check for a specific refering url from a site that you have to be logged in to get to.
2. Check the users IP or IP range and login accordingly.

We create an anonomous user and use its creditials to pass to the login function. This is done in the default.aspx.vb page under Page_Init, after "Dim _portalSettings..." line.

       '#shuzo: Authorized Referrer Login


            Dim objSecurity As New PortalSecurity


            Dim strUrl As String = ""


            If Not HttpContext.Current.Request.UrlReferrer Is Nothing Then


                strUrl = HttpContext.Current.Request.UrlReferrer.ToString


            End If





            If Not Request.IsAuthenticated Then


                If strUrl = "http://www.dotnetnuke.com/default.aspx?TabID=68" Or strUrl = "http://www.someOtherURL.com" Then


                    ' Attempt to Validate User Credentials


                    Dim userId As Integer = objSecurity.UserLogin("myUsername", "myPassword", _portalSettings.PortalId)





                    If userId >= 0 Then


                        ' Use security system to set the UserID within a client-side Cookie


                        FormsAuthentication.SetAuthCookie(userId.ToString(), False) 'chkCookie.Checked


                        ' Redirect browser back to home page


                        Response.Redirect(Request.RawUrl, True)


                    Else


                        'move on


                    End If


                Else


                    '|UNAUTHORIZED|


                End If


            End If


       '#shuzo: End

This has worked great for us.

Hi,

We've just done something similar (still kinda new to DNN 2.1.2) by modifying the global.asax.vb file - within the Application_AuthenticateRequest event.

Our users actually log into another intranet application first (completely separate app and database) and we store login credentials in "encrypted" cookies mapped to the "/" directory of our server.

When Application_AuthenticateRequest is fired and Request.IsAuthenticated is false we then look for our credentials. If not found we redir to our login page and then back to DNN. If our credentials are found and Request.IsAuthenticated is false we then log into the DNN app. If the current user's info isn't in the DNN User table we add it on the fly.

In short, we've modified DNN to only allow access to users that have logged into our separate web app first.

Hope this helps.


Shawn

Hi Shawn,
Would you mind posting the code or global.asax.vb file you've modified (minus, of course, sensitive info)? Your situation is very similar to ours, and adding users on the fly would be ideal for us as well. I can probably track down all the pieces I need but I have little experience with encrypted cookies and am also relatively new to DNN 2.1.2 and could appreciate a time-savings here. Or if you prefer, you can email it to talismanj@yahoo.com.
Thanks in advance!
J

Thanks Shuzo, your code provided me with more options I may utilize.
J

Shawn,

I am assuming that the data store of the user credentials between the referring application and the dnn user data is sync'ed?

Was this the only place you had to make edits? I would be very interested in hearing more from you about this as I am new to encryption in total and have not had much success on my own at all.

Thanks,
Ron

Edited by SomeNewKid. Please post code between <code> and </code> tags.

---

Hi,

Warning - Long Post :)

I've pasted some code below but I thought some background on what we're up to might help as well:

* We've got an existing intranet with 2000+ users

* We do not have any "anonymous" users - every user is authenticated against our own user table.

* We've got a core collaboration engine for these users to work together on different projects (we call them web groups). There are many thousands of these web groups. Our web group model is very similar to DNN's (users, tabs, and roles)

* In addition to project collaboration, our users are broken down into a myriad of special interest groups (also using the collaboration engine)

* We're experimenting with porting these special interest groups groups over to DNN portals to give them the ability to define their own content / modules to use

* Some of our web groups are accessible to ALL users while others are security to specific user lists.

* We're relying on our existing infrastructure to handle most security type stuff

* Our existing security model DOES NOT use the .NET authentication stuff - all ASPX pages are inherited from a BasePage (like DNN) that handles security through cookies

* A big part of our mods is that we're maintaining a single set of users in the USERS table and drawing from that when adding users to specific portals. These USERS are actually pulled from our existing database when the user signs in.

* And finally, all of this is experimental at this point :) We're PATIENTLY waiting for DNN 3 to see if we'll take it to the finish. From what we've been reading about DNN 3, we're very hopeful

Why are we doing this? DNN contains some very nice / tight code - kudos to the core development team. We're looking for a more dynamic engine to power our collobration efforts across the enterprise by giving users more power in designing their interface. DNN's skins / modules (we'll be defining a fixed set of choices for each) gives us a great tool for getting there.

Below are the main snippets from our global.asax.vb and security.vb files (please note that we're still goofing around with this but it's pretty close). We've also added some routines to the SQL data provider to call our database for authentication / user mapping stuff.

Someone had questions on encryption - ours predates .NET and is very weak - just a simple routine that scrambles characters. Check DNN's global.asax.vb for .NET's FormsAuthentication.Encrypt / Decrypt for stronger scrambling.

Here's some code for review purposes only. It won't run without all the variable declarations, etc.:

Code @ Top of Application_AuthenticateRequest()

            If Request.IsAuthenticated = False And Convert.ToString(_portalSettings.GroupId).Trim <> "" Then


                ' we're not authenticated - check the our credentials


                ' and login from there (if available)


                If Not (Request.Cookies("UN") Is Nothing) Then


                    sUserName = Request.Cookies("UN").Value.ToString()





                    ' decode our password


                    sTempPW = Request.Cookies("UP").Value.ToString()


                    If (sTempPW <> "") Then


                        bFoundCookie = True


                        ' dscramble the password


                        sPassword = OurDecrypt(sTempPW)


                    End If


                    dr = DataProvider.Instance().CustomLogin(sUserName, sPassword)


                    If dr.Read() Then


                        sUserId = Convert.ToString(dr("Pros_Id"))


                        sUserName = Convert.ToString(dr("webid"))


                        sPassword = Convert.ToString(dr("webpsw"))


                        sFirstName = Convert.ToString(dr("FirstName"))


                        sLastName = Convert.ToString(dr("LastName"))


                        sUnit = ""


                        sStreet = ""


                        sCity = ""


                        sState = ""


                        sPostalCode = ""


                        sCountry = ""


                        sTelephone = ""


                        sEmail = Convert.ToString(dr("Email"))


                    End If


                    dr.Close()


                    If sUserId = "-1" Then


                        ' no good - user id not found in our table - redirect


                        ' to our login...


                        Response.Redirect("/aspx/SRedir.aspx?urlout=" & "~/" & glbDefaultPage & "?tabid=" & _portalSettings.HomeTabId.ToString)


                    End If


                    ' validate that the our user exists on the DNN Users table


                    dr = DataProvider.Instance().GetUserByOurId(sUserId)


                    If dr.Read() Then


                        iDNNUserId = Convert.ToInt32(dr("UserID"))


                    End If


                    dr.Close()


                    If iDNNUserId = -1 Then


                        ' not on the DNN user table so add them


                        iDNNUserId = DataProvider.Instance().AddOurUser(sUserId, sFirstName, sLastName, sUnit, sStreet, sCity, sState, sPostalCode, sCountry, sTelephone, sEmail, sUserName, sPassword, 0)


                    Else


                        ' we found em - sync the basic user info


                        DataProvider.Instance().UpdateUser(iDNNUserId, sFirstName, sLastName, sUnit, sStreet, sCity, sState, sPostalCode, sCountry, sTelephone, sEmail, sUserName, sPassword)


                    End If





                    ' now check the group portal to see if it maps to a web group


                    portalUserId = PortalSecurity.Custom_ValidatePortalUser(_portalSettings.GroupId, _portalSettings.PortalId, iDNNUserId, sUserId)





                    ' if the user is part of the portal then setup authentication for DNN


                    If portalUserId <> -1 Then


                        FormsAuthentication.SetAuthCookie(Convert.ToString(iDNNUserId), False)


                        Response.Redirect("/dnn/" & glbDefaultPage & "?tabid=" & _portalSettings.ActiveTab.TabId.ToString)


                    ElseIf _portalSettings.PortalId <> 0 And Convert.ToString(_portalSettings.GroupId).Trim() <> "" Then


                        Response.Write("Security Violation...")


                        Response.End()


                    End If


                Else


                    ' not logged into the our system yet so do that now


                    Response.Redirect("/aspx/SRedir.aspx?urlout=" & "/dnn/" & glbDefaultPage & "?tabid=" & _portalSettings.ActiveTab.TabId.ToString)


                End If


            End If





'' end of Application_AuthenticateRequest logic.

Custom routines from Security.VB:

        Public Shared Function Custom_ValidatePortalUser(ByVal sGroupId As String, ByVal PortalId As Integer, ByVal SiteUserId As Integer, ByVal sUserId As String) As Integer


            Dim dr As IDataReader


            Dim UserId As Integer





            dr = DataProvider.Instance().GetPortalUser(PortalId, SiteUserId)


            UserId = -1


            If dr.Read Then


                If Convert.ToBoolean(dr("Authorized")) Then


                    UserId = Convert.ToInt32(dr("UserId"))


                End If


                dr.Close()


                ' check if portal is linked to  Web Group


                ' resync roles based upon current team membership


                '  (eg, user is no longer part of a council)


                ' these kinds of updates are handled by the


                ' interface in our custom app


            Else


                dr.Close()


                ' Security


                ' check the Portal.GroupId


                ' if AllGroups Then if user isn't on this portal's


                ' user table add them to PortalUsers and add to


                ' Authorized Users role for this portal





                ' setup for role handling...


                Dim objRoles As RoleController = New RoleController


                Dim arrRoles As ArrayList = CBO.FillCollection(DataProvider.Instance().GetPortalRoles(PortalId), GetType(RoleInfo))





                If sGroupId.Trim().ToLower() = "all" Then


                    ' this group is open to all members so autogen


                    ' the portal's user record


                    UserId = Custom_AddPortalUser(PortalId, SiteUserId, objRoles, arrRoles)


                ElseIf sGroupId.Trim() <> "" Then


                    ' it's a Web Group - get security settings from there and update


                    ' portal membership as needed


                    Dim sConfSecure As String = "-1"


                    Dim sConfType As String = ""


                    Dim sParticip As String = "-1"


                    dr = DataProvider.Instance().GetGroupInfo(sGroupId)


                    If dr.Read() Then


                        sConfSecure = Convert.ToString(dr("ConfSecure"))


                        sConfType = Convert.ToString(dr("ConfType"))


                    End If


                    dr.Close()


                    Select Case sConfSecure


                        Case "-1"


                        Case "01", "S3"


                            ' these are Web Group portals that are visible and their


                            ' contents are visible so gen the user


                            UserId = Custom_AddPortalUser(PortalId, SiteUserId, objRoles, arrRoles)


                            dr = DataProvider.Instance().GetGroupTeamRecord(sGroupId, sUserId)


                            If dr.Read() Then


                                sParticip = Convert.ToString(dr("PARTICIP"))


                            End If


                            dr.Close()


                            If sParticip <> "-1" Then


                                ' user is part of the council


                                ' add the Council Member to DNN UserRoles


                                Custom_AddPortalUserRole(PortalId, SiteUserId, "Council Member", objRoles, arrRoles)


                                If sParticip = "MODERATOR" Then


                                    ' part of leadership


                                    Custom_AddPortalUserRole(PortalId, SiteUserId, "Council Leadership", objRoles, arrRoles)


                                End If


                            End If


                        Case Else


                            ' look at the Group Team to see if user can access this portal


                            sParticip = "-1"


                            dr = DataProvider.Instance().GetGroupTeamRecord(sGroupId, sUserId)


                            If dr.Read() Then


                                sParticip = Convert.ToString(dr("PARTICIP"))


                            End If


                            dr.Close()


                            If sParticip <> "-1" Then


                                ' the person is on the group's team so add them to the DNN


                                ' portaluser table


                                UserId = Custom_AddPortalUser(PortalId, SiteUserId, objRoles, arrRoles)


                                If sParticip = "MODERATOR" Then


                                    ' part of group moderators role


                                    Custom_AddPortalUserRole(PortalId, SiteUserId, "Moderator", objRoles, arrRoles)


                                End If


                            End If


                    End Select


                End If


            End If





            ' update last login into portal


            If UserId <> -1 Then


                DataProvider.Instance().UpdatePortalUser(PortalId, SiteUserId, True, Now)


            End If





            Return (UserId)





        End Function





        Public Shared Function Custom_AddPortalUser(ByVal PortalId As Integer, ByVal SiteUserId As Integer, ByVal objRoles As RoleController, ByVal arrRoles As ArrayList) As Integer


            Dim UserId As Integer





            UserId = DataProvider.Instance().AddPortalUser(PortalId, SiteUserId, True)


            Custom_GenPortalUserAutoRoles(PortalId, SiteUserId, objRoles, arrRoles)





        End Function





        Public Shared Sub Custom_GenPortalUserAutoRoles(ByVal PortalId As Integer, ByVal SiteUserId As Integer, ByVal objRoles As RoleController, ByVal arrRoles As ArrayList)





            Dim i As Integer


            Dim objRole As RoleInfo





            For i = 0 To arrRoles.Count - 1


                objRole = CType(arrRoles(i), RoleInfo)


                If objRole.AutoAssignment = True Then


                    objRoles.AddUserRole(PortalId, SiteUserId, objRole.RoleID, Null.NullDate)


                End If


            Next





        End Sub


        Public Shared Sub Custom_AddPortalUserRole(ByVal PortalId As Integer, ByVal SiteUserId As Integer, ByVal RoleName As String, ByVal objRoles As RoleController, ByVal arrRoles As ArrayList)





            ' add's a user to a portal role based upon role name


            Dim i As Integer


            Dim objRole As RoleInfo





            For i = 0 To arrRoles.Count - 1


                objRole = CType(arrRoles(i), RoleInfo)


                If objRole.RoleName = RoleName Then


                    objRoles.AddUserRole(PortalId, SiteUserId, objRole.RoleID, Null.NullDate)


                End If


            Next





        End Sub





''' End of Security.vb updates

We've also built a bunch of "interface" modules to load our controls in the DNN interface. It's a bit tricky, but we're getting there.

ps Sorry for the formatting - paste the code into a VB module and let the IDE beautify it for you.

Whew! I hope this helps!


Shawn

This is great,
I just used this as an idea for what I needed to do, thanks!

I'm in the fortunate situation that both DNN and our existing app have their databases on servers that we completely own. We are using DNN for an internal portion of our app, and therefore only need certain people to be automatically logged in.

First I needed to import existing users from our legacy app, so:
1. I created a class that extended the UserInfo class, and added one property, "Role" -- this is not Role in the sense of DNN Security Roles --
2. I created a stored procedure that mapped all the info from our existing user db to the format needed for the UserInfo business object.
3. I inherited from SchedulerClient and created a DoWork method to perform the task of calling UserController.AddUser for each new user.
4. Still have to do something about _updated_ users, though that should not be too hard, since we already keep a "profile last updated" history in our existing app.

For the transparent login itself:

I made a 10 line .aspx page that calls the same UserLogin method mentioned in this thread.

1. From our legacy app, I pass the user id through a hidden frame when the user loads the page (It just occurred to me that I could just as well make this query in a script tag, and avoid having to worry about even putting the iframe tag on the page)
2. The user clicks a link that refers to the DNN instance, and they are already logged in by the time they get there
3. I have not yet implemented this part, but I want to make the legacy app store a UUID token in its own database when the user logs in, then pass that token to the DNN login page. The DNN instance will then attempt to match the passed userid with the security token from the legacy app's database, to ensure that the user is who they should be.

The last thing I need to do is make DNN's skin look just like our existing asp 3.0 app. I'm hoping to avoid rewriting code if at all possible, and the only dynamic aspect to the page container is a few links on the left hand side that are dependent upon the user's role and profile id.

My initial thought was to make a server control that replicates this left side, but now I think there is a way to do it without having to duplicate the functionality of the ASP code in asp.net.

I still may make a server control for parts of it, like for setting the path to the img resources and the css and javascript URLs, but for the content on the left side, I think I'll do something like this:

1. In the old ASP, create page that generates a javascript array that contains all the items for the left side menu.
2. From the DNN skin, make a call to this page from a SCRIPT tag to get all the data.
3. From the DNN skin's client side, write out the menu using client side javascript, similar to how the speerio site map is done in this code here as it appears on my own site:

siteMap_ctl0__ctl2__ctl8.add(8,7,'JavaScript Blunders and Bloopers','/Default.aspx?tabid=43');
siteMap_ctl0__ctl2__ctl8.add(9,7,'XPCOM: Cross Platform Component Circuitry','/Default.aspx?tabid=45');
siteMap_ctl0__ctl2__ctl8.add(10,7,'C# Content Grabber with WebClient and Regex','/Default.aspx?tabid=46');
siteMap_ctl0__ctl2__ctl8.add(11,7,'Providing Database Data to RoboHelp w/JavaScript','/Default.aspx?tabid=51');
siteMap_ctl0__ctl2__ctl8.add(12,7,'XML Research','/Default.aspx?tabid=52');
siteMap_ctl0__ctl2__ctl8.add(13,7,'RoboHelp JavaScript API and IE Problems and Fix','/Default.aspx?tabid=56');

I used this technique in a RoboHelp project deployment that needed data from the database, but needed to also be compiled as Windows Help .CHM. So, I made a call to an ASP page that generates JavaScript objects, which the client page then renders at display time. Here is an article and code for that:

http://67.19.192.183:7136/Default.aspx?tabid=51

I may just decide to do the whole left side in a user control on the server side anyway, but I think this way would work just fine too.

-Josh