Last post Dec 27, 2005 02:34 PM by jeremypettit
Dec 20, 2005 02:45 PM|shamunda|LINK
Ok I'ved asked this before but hadn't recieved an answer, and it's been several days, but I would really like some guidance in this if you will.
Is there anyway I can pass login information directly to dnn in the url? I'm working on a project that will tie a portal to a LMS.
So for example:
http://www.mydnn.com/myportal?username=joe&password=schmoe - something like that to automatically login the user.
Is there anyway to do this?
Dec 20, 2005 02:56 PM|hooligannes97|LINK
Dec 20, 2005 04:33 PM|stevedotnut|LINK
Dec 20, 2005 05:59 PM|Konk|LINK
Dec 27, 2005 12:14 PM|shamunda|LINK
Of course I know it's a security risk, as such the many things that we have all had to find the work arounds for simply because of those words - "not recommended", "security risk", "not supported".
However risk is irrelevant
Thank you Konk for shedding some light on my issue, and you are absolutely correct there is a valid reason of why i need to do this.
Dec 27, 2005 12:29 PM|thecrispy1|LINK
Dec 27, 2005 12:58 PM|shamunda|LINK
I appreciate your concern and thank you for the advice, but as stated earlier the security risk factor at this point of time is irrelevant. I'm certain there are many different ways to achieve the effect of what i'm trying to do, however, I'm only working
on proof of conept for my own internal needs.
Security will only become relevant when there is an external threat, as such this is a virtual system being used for simulation.
The proper method of doing this is not necessary yet but if/when the time does arise I'm sure I'll be back to find out how it's done properly.
Dec 27, 2005 02:34 PM|jeremypettit|LINK
I as a developer also understand that passing info through the querystring is a security risk, but at times the needs of a customer forces you into things. We had to interface with a partner's existing portal, and they were unable to modify it to use a webservice
and insisted on using an iframe to do it as they did with other sites. So we had to bend to work with them. So both sides using SSL is the best we could do in this situation.
First thing before I'd post any code, I'd like to ask if you are a programmer and could compile a new module. If not, you can email me and I'll hook you up with a module package.
On the note of security:
With SSL, the querystring is stripped off of the route information of the URL when creating the routing information in the https packaging process by the browser and are included in the encrypted data block
Querystring is in your IIS logs, but if someone from the outside has access to your IIS logs, you have much bigger problems. They'd have access to your system and already have access to your web.config file gaining info to your DB connection string, and
Machine Key which encrypts the user passwords. Or they could write their own code to do almost whatever they want. If you're worried about someone internal doing damage, either an employee or a hosting company, you shouldn't be working with them.
Also, if you do decide to do this, I'd suggest creating this as a seperate module. I for one never touch the core, only replace items.