steve that's why I told you to use POST instead of GET
POST does not give values in the URL Address... on GET
Web Client Application:
<form name="myform" id="myform" method="POST"
action="www.you rserver.com/loginpage.aspx" >
<input type="hidden"
value="http://www.ClientWebSe rver.com/user/default.aspx" name="PostBackU RL"
/>
<input type="hidden" value"iux876xj" name="CLientID" />
<a href="#" onclick="docume nt.myform.submi t();">Please click here to
login</a>
</form>
*************** *************** *************** *************** ********
Your loginpage.apx in you server
<%
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s)
Dim sClientID as String = request("Client ID")
if sClientID isnot nothing then
if validateClientI D( sClientID ) then
' everything is ok, let's show the login page to the
user, but before let's keep the PostBackURL
session("Redire ctTo") = request("PostBa ckURL")
else
' the clientID does not EXIST redirect the user with an
error
response.redire ct("http://www.ClientWebSe rver.com/user/default.aspx?er ror=1",
true )
end if
end if
End Sub
Protected Sub btnLogin_Click( ByVal sender As Object, ByVal e As
System.EventArg s)
' imagine this is the event when the user click the LOGIN button
in this page
dim sUser as string = fUser.text.tost ring
dim sPwd as string = fPwd.text.tostr ing
if validateUser(sU ser, sPwd) then
response.redire ct( session("PostBa ckURL"), true)
else
myErrorLabel.Te xt = "Invalid Username/Password!"
end if
End Sub
%>
got it?...
if you still have doubts, send me an email (br*********@gm ail.com) and I
will send you 2 pages with this working.
--
Bruno Alexandre
(a Portuguese in Københanv, Danmark)
"Steven Spits" <no****@company .com> escreveu na mensagem
news:uW******** ******@TK2MSFTN GP03.phx.gbl...
Bruno,
Client Web Form should have the action form using POST method to your
page in your server with 2 forms (user and pwd) and 2 hidden inputs (
clientID and PostBackURL )
your page accepts by POST the clientID and check if there's a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL
This way would allow the client to log input before sending it to us. So
no, not a good idea.
or have the same, but the LOGIN page is in your server and you only
accept, ClientID and PostBackURL [or only ClientID and from the DB you
know where to redirect the user after a good authentication]
using this they never know username/pwd from your own clients
This is what I meant when saying "like Microsoft passport". But I'm still
not sure how to make it secure?
For example, how do I test in PostBackURL that the user was authenticated
using *our* login page? Using parameters
("http://ClientServer/WebApp/Validated.aspx? UserID=12345") would be
insecure, unless both parties write some code to check if the querystring
is not tampered with (like
http://aspnet.4guysfromrolla.com/art...083105-1.aspx). But I want
implementation to be as easy as possible so I'm not sure this is the way
to go...
Steven
- - -