Remote logon page like Microsoft passport

you can always do this:

Client Web Form should have the action form using POST method to your page
in your server with 2 forms (user and pwd) and 2 hidden inputs ( clientID
and PostBackURL )

your page accepts by POST the clientID and check if there's a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL

*************** *************** *******

or have the same, but the LOGIN page is in your server and you only accept,
ClientID and PostBackURL [or only ClientID and from the DB you know where to
redirect the user after a good authentication]

using this they never know username/pwd from your own clients

*************** *************** *******

.... did I miss anything?
hope the idea is exactly what you need...

--

Bruno Alexandre
(a Portuguese in Københanv, Danmark)
"Steven Spits" <no****@company .com> escreveu na mensagem
news:e3******** ******@TK2MSFTN GP05.phx.gbl...

Hi,

Our company has a database of users that we use to authenticate users on
various websites.

However, some of our customers want to develop a website on their own and
use the same database authenticate users.

At first I was thinking to create a WebService that accepts username &
password and returns if it's valid or not. But it is *very* important that
our customers don't know the password of these users. Because our
customers could "log" the data send to the webservice, this is obviously
not a good idea.

So I guess what we need is a system like Microsoft passport where the user
gets redirected to another website to logon and returns to the original
url afterwards.

What would be the best way to communicate between urls? It should be easy
to implement and yet secure.

Steven

- - -

Bruno,

Client Web Form should have the action form using POST method to your page
in your server with 2 forms (user and pwd) and 2 hidden inputs ( clientID
and PostBackURL )

your page accepts by POST the clientID and check if there's a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL
This way would allow the client to log input before sending it to us. So no,
not a good idea.
or have the same, but the LOGIN page is in your server and you only
accept, ClientID and PostBackURL [or only ClientID and from the DB you
know where to redirect the user after a good authentication]

using this they never know username/pwd from your own clients

This is what I meant when saying "like Microsoft passport". But I'm still
not sure how to make it secure?

For example, how do I test in PostBackURL that the user was authenticated
using *our* login page? Using parameters
("http://ClientServer/WebApp/Validated.aspx? UserID=12345") would be
insecure, unless both parties write some code to check if the querystring is
not tampered with (like
http://aspnet.4guysfromrolla.com/art...083105-1.aspx). But I want
implementation to be as easy as possible so I'm not sure this is the way to
go...

Steven

- - -

steve that's why I told you to use POST instead of GET

POST does not give values in the URL Address... on GET

Web Client Application:

<form name="myform" id="myform" method="POST"
action="www.you rserver.com/loginpage.aspx" >
<input type="hidden"
value="http://www.ClientWebSe rver.com/user/default.aspx" name="PostBackU RL"
/>
<input type="hidden" value"iux876xj" name="CLientID" />
<a href="#" onclick="docume nt.myform.submi t();">Please click here to
login</a>
</form>

*************** *************** *************** *************** ********
Your loginpage.apx in you server

<%
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s)
Dim sClientID as String = request("Client ID")
if sClientID isnot nothing then
if validateClientI D( sClientID ) then
' everything is ok, let's show the login page to the
user, but before let's keep the PostBackURL
session("Redire ctTo") = request("PostBa ckURL")
else
' the clientID does not EXIST redirect the user with an
error
response.redire ct("http://www.ClientWebSe rver.com/user/default.aspx?er ror=1",
true )
end if
end if
End Sub

Protected Sub btnLogin_Click( ByVal sender As Object, ByVal e As
System.EventArg s)
' imagine this is the event when the user click the LOGIN button
in this page
dim sUser as string = fUser.text.tost ring
dim sPwd as string = fPwd.text.tostr ing

if validateUser(sU ser, sPwd) then
response.redire ct( session("PostBa ckURL"), true)
else
myErrorLabel.Te xt = "Invalid Username/Password!"
end if
End Sub
%>
got it?...

if you still have doubts, send me an email (br*********@gm ail.com) and I
will send you 2 pages with this working.

--

Bruno Alexandre
(a Portuguese in Københanv, Danmark)
"Steven Spits" <no****@company .com> escreveu na mensagem
news:uW******** ******@TK2MSFTN GP03.phx.gbl...

Bruno,

Client Web Form should have the action form using POST method to your
page in your server with 2 forms (user and pwd) and 2 hidden inputs (
clientID and PostBackURL )

your page accepts by POST the clientID and check if there's a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL

This way would allow the client to log input before sending it to us. So
no, not a good idea.

or have the same, but the LOGIN page is in your server and you only
accept, ClientID and PostBackURL [or only ClientID and from the DB you
know where to redirect the user after a good authentication]

using this they never know username/pwd from your own clients

This is what I meant when saying "like Microsoft passport". But I'm still
not sure how to make it secure?

For example, how do I test in PostBackURL that the user was authenticated
using *our* login page? Using parameters
("http://ClientServer/WebApp/Validated.aspx? UserID=12345") would be
insecure, unless both parties write some code to check if the querystring
is not tampered with (like
http://aspnet.4guysfromrolla.com/art...083105-1.aspx). But I want
implementation to be as easy as possible so I'm not sure this is the way
to go...

Steven

- - -

"Bruno Alexandre" wrote:

steve that's why I told you to use POST instead of GET
POST does not give values in the URL Address... on GET
There is no difference in using POST or GET. Both can be tampered with.

I think you misunderstood me. The QueryString I used as an example is the
one *after* validation. Like this one on your code:
if validateUser(sU ser, sPwd) then
response.redire ct( session("PostBa ckURL"), true)
else
myErrorLabel.Te xt = "Invalid Username/Password!"
end if
End Sub

I want to return to the client WHO was authenticated. And I also want to
make sure in "PostBackUR L" that the user was actually validated and didn't
typed that URL directly in his browser.

I appreciate your help...!

Steven

- - -

You can temper the Passport URL's... but what's the point? you will not be
validated!

sincerelly I thing you are putting too much in a really simple thing!
you problem is the username and password (as in Passport) and that YOU CAN
NOT temper as I told you!

soon you are login in your client could set a session to true and only show
the postbackurl page if the sessionID is the same that you can send him
back, for example...

like:

http://www.ClientWebServer.com/user/...e/default.aspx
and youre client must use redirect em asp.net to show the content, that's
called URL Mapping

in the HOW DO I: Microsoft Video Series, you have this in the Tips & Tricks
VIDEO (this particulary part stars at 14.05'')

http://msdn.microsoft.com/asp.net/le...t/default.aspx

--

Bruno Alexandre
(a Portuguese in Københanv, Danmark)
"Steven Spits" <no****@company .com> escreveu na mensagem
news:eh******** *****@TK2MSFTNG P04.phx.gbl...

"Bruno Alexandre" wrote:

steve that's why I told you to use POST instead of GET
POST does not give values in the URL Address... on GET

There is no difference in using POST or GET. Both can be tampered with.

I think you misunderstood me. The QueryString I used as an example is the
one *after* validation. Like this one on your code:

if validateUser(sU ser, sPwd) then
response.redire ct( session("PostBa ckURL"), true)
else
myErrorLabel.Te xt = "Invalid Username/Password!"
end if
End Sub

I want to return to the client WHO was authenticated. And I also want to
make sure in "PostBackUR L" that the user was actually validated and didn't
typed that URL directly in his browser.

I appreciate your help...!

Steven

- - -

"Bruno Alexandre" wrote:

You can temper the Passport URL's... but what's the point? you will not be
validated!
We are clearly talking about something else.

Like I said before twice, *AFTER* validation I want to return to the calling
webserver and indicate WHO logged on. Tampering with this information (POST
or GET doesn't matter) has a very good point because I can fool the
webserver I got validated correctly as someone else!
sincerelly I thing you are putting too much in a really simple thing!
One can never put enough effort in security.
you problem is the username and password (as in Passport) and that YOU CAN
NOT temper as I told you!
The validation itself happens on my server, so I'm not afraid of any
tampering here...
soon you are login in your client could set a session to true and only
show the postbackurl page if the sessionID is the same that you can send
him back, for example...
....not sure what you mean here? How can a SessionID help me? We're talking
different servers here.
and youre client must use redirect em asp.net to show the content, that's
called URL Mapping

I'm familiar with url mapping, but I'm not sure how this is going to help
me? Url mapping is just another way to send parameters, only less visible to
the user.

Steven

- - -

the best is to pass back an authenciation ticket in the URL. you should
encrypt the ticket with a key only known to the requesting site.
-- bruce (sqlwork.com)

"Steven Spits" <no****@company .com> wrote in message
news:e3******** ******@TK2MSFTN GP05.phx.gbl...

Hi,

Our company has a database of users that we use to authenticate users on
various websites.

However, some of our customers want to develop a website on their own and
use the same database authenticate users.

At first I was thinking to create a WebService that accepts username &
password and returns if it's valid or not. But it is *very* important that
our customers don't know the password of these users. Because our
customers could "log" the data send to the webservice, this is obviously
not a good idea.

So I guess what we need is a system like Microsoft passport where the user
gets redirected to another website to logon and returns to the original
url afterwards.

What would be the best way to communicate between urls? It should be easy
to implement and yet secure.

Steven

- - -

Did you ever look to the Passport URL for once??

I just loged in from Expression product and the URL to the LOGIN form is:

https://login.live.com/ppsecure/secu...e35d5e24f9bbd3

if you cut it, we have:

lc=1033
id=42814
ru=https%3a%2f% 2fprofile.micro soft.com%3a443% 2fRegSysProfile Center%2fWizard .aspx%3ffamilyI d%3d4DFD5390-0793-420A-890A-97DC3AD94127%26 displayLang%3de n%26oRef%3dhttp %253a%252f%252f www.microsoft.c om%252fproducts %252fexpression %252fen%252fgra phic_designer%2 52fgd_free_tria l.aspx%26wizid% 3d026BB8CF-6048-41A0-B74C-544A76CC587C%26 LCID%3d1033%26f u%3dhttp%253a%2 52f%252fwww.mic rosoft.com%252f downloads%252fd etails.aspx%253 fFamilyId%253d4 DFD5390-0793-420A-890A-97DC3AD94127%25 26displaylang%2 53den%2526hash% 253dM9RRC95%26c u%3dhttp%253a%2 52f%252fwww.mic rosoft.com%252f downloads%252fd etails.aspx%253 fFamilyId%253d4 DFD5390-0793-420A-890A-97DC3AD94127%25 26displaylang%2 53den
tw=1800
fs=1
kv=4
ct=1150883054
cb=LCID%3d1033% 26WizID%3d026BB 8CF-6048-41A0-B74C-544A76CC587C%26 ReturnURL%3dhtt ps%253a%252f%25 2fprofile.micro soft.com%253a44 3%252fRegSysPro fileCenter%252f Wizard.aspx%253 ffamilyId%253d4 DFD5390-0793-420A-890A-97DC3AD94127%25 26displayLang%2 53den%2526oRef% 253dhttp%25253a %25252f%25252fw ww.microsoft.co m%25252fproduct s%25252fexpress ion%25252fen%25 252fgraphic_des igner%25252fgd_ free_trial.aspx %2526wizid%253d 026BB8CF-6048-41A0-B74C-544A76CC587C%25 26LCID%253d1033 %2526fu%253dhtt p%25253a%25252f %25252fwww.micr osoft.com%25252 fdownloads%2525 2fdetails.aspx% 25253fFamilyId% 25253d4DFD5390-0793-420A-890A-97DC3AD94127%25 2526displaylang %25253den%25252 6hash%25253dM9R RC95%2526cu%253 dhttp%25253a%25 252f%25252fwww. microsoft.com%2 5252fdownloads% 25252fdetails.a spx%25253fFamil yId%25253d4DFD5 390-0793-420A-890A-97DC3AD94127%25 2526displaylang %25253den
ems=1
seclog=10
ver=2.1.6000.1
rn=7xgfU7pV&tpf =2a069e68c054b7 772ee35d5e24f9b bd3

as you can see, the PostBackURL here is called "ru"
and in cb you have ReturnURL after the SessionID

so, all the form does is what I told you.

and here I can prove you that I can temper Passport just playing with the
Query, but... like I told you, what's the point? I never get into where I
want if I temper it!
--

Bruno Alexandre
(a Portuguese in Københanv, Danmark)
"Steven Spits" <no****@company .com> escreveu na mensagem
news:uT******** ******@TK2MSFTN GP04.phx.gbl...

"Bruno Alexandre" wrote:

You can temper the Passport URL's... but what's the point? you will not
be validated!

We are clearly talking about something else.

Like I said before twice, *AFTER* validation I want to return to the
calling webserver and indicate WHO logged on. Tampering with this
information (POST or GET doesn't matter) has a very good point because I
can fool the webserver I got validated correctly as someone else!

sincerelly I thing you are putting too much in a really simple thing!

One can never put enough effort in security.

you problem is the username and password (as in Passport) and that YOU
CAN NOT temper as I told you!

The validation itself happens on my server, so I'm not afraid of any
tampering here...

soon you are login in your client could set a session to true and only
show the postbackurl page if the sessionID is the same that you can send
him back, for example...

...not sure what you mean here? How can a SessionID help me? We're talking
different servers here.

and youre client must use redirect em asp.net to show the content, that's
called URL Mapping

I'm familiar with url mapping, but I'm not sure how this is going to help
me? Url mapping is just another way to send parameters, only less visible
to the user.

Steven

- - -

Bruno,

I appreciate your help, but if you don't *read* my mails, we're getting
nowhere...

I just loged in from Expression product and the URL to the LOGIN form is:

For the third time: the problem is not the url *TO* the login form, it's the
url *GOING BACK* from the login page to site that originally requested the
authentication.

Based on your example: what happens when I copy & paste the value of "ru" in
my browser? How to check if the user was actually validated?

Steven

- - -