By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,835 Members | 1,951 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,835 IT Pros & Developers. It's quick & easy.

What is the best way to login my website from another website?

P: n/a
Hi, all:

I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?

Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.

We are trying to build their login page like following:

<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>

But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/in configuration or <%@
Page EnableEventValidation="true" %in a page.

I do not think Disable Event validation is a good idea.

Is there any other better approach?

Thanks a lot.

Jul 5 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
AFAIK ASP.NET checks posted data to make sure that they are coming from a
page that was served by the same server.

I would just post to the same page and would transmit data behind the scene
using a web service...

"rockdale" <ro************@gmail.coma écrit dans le message de news:
11**********************@57g2000hsv.googlegroups.c om...
Hi, all:

I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?

Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.

We are trying to build their login page like following:

<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>

But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/in configuration or <%@
Page EnableEventValidation="true" %in a page.

I do not think Disable Event validation is a good idea.

Is there any other better approach?

Thanks a lot.

Jul 5 '07 #2

P: n/a
So what you mean is I write a web service to accept the user id and
pwd that they passed and do authorization, But how can I redirect them
to my member's home page after I validate user id and pwd?

Thanks for your help

On Jul 5, 12:08 pm, "Patrice" <http://www.chez.com/scribe/wrote:
AFAIK ASP.NET checks posted data to make sure that they are coming from a
page that was served by the same server.

I would just post to the same page and would transmit data behind the scene
using a web service...

"rockdale" <rockdale.gr...@gmail.coma écrit dans le message de news:
1183650687.509733.262...@57g2000hsv.googlegroups.c om...
Hi, all:
I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?
Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.
We are trying to build their login page like following:
<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>
But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/in configuration or <%@
Page EnableEventValidation="true" %in a page.
I do not think Disable Event validation is a good idea.
Is there any other better approach?
Thanks a lot.- Hide quoted text -

- Show quoted text -

Jul 5 '07 #3

P: n/a
If your customer's site is a trusted site and the only one served by your
application you could give them a generated <machineKey /tag for thier
site's web config to match your site's web.config. That would spoof your app
into passing the post from thier login page as if it had come from the same
server.

This is assuming of course that thier web site is an ASP.NET web site or at
least an IIS hosted web site that can be configured using the .NET framework
and a web.config file.

"Patrice" <http://www.chez.com/scribe/wrote in message
news:eu**************@TK2MSFTNGP04.phx.gbl...
AFAIK ASP.NET checks posted data to make sure that they are coming from a
page that was served by the same server.

I would just post to the same page and would transmit data behind the
scene using a web service...

"rockdale" <ro************@gmail.coma écrit dans le message de news:
11**********************@57g2000hsv.googlegroups.c om...
>Hi, all:

I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?

Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.

We are trying to build their login page like following:

<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>

But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/in configuration or <%@
Page EnableEventValidation="true" %in a page.

I do not think Disable Event validation is a good idea.

Is there any other better approach?

Thanks a lot.


Jul 5 '07 #4

P: n/a
IMO *they* should redirect to your site based upon the web service result
(if credentials are not valid, they'll need to display the page
again).They'll likely then pass a guid associated with the user you returned
to them so that you know which user it is. Make sure this is a temporary
guid so that it is not usable for ages if stolen (changed at least each time
a new login request is issued).

Or else Chad solution that would be what you would do for your inhouse
servers (though I would likely prefer to be "explicit" about such a link
with external world).

Oh BTW, you may want to explain the overall goal as I'm not sure to have
caught the details (basically if all they do is hosting the login page you
could perhaps have a customized login page for them on your own web site ?).
They are not using those credentials at all at their site ?

--
Patrice

"rockdale" <ro************@gmail.coma écrit dans le message de news:
11*********************@q75g2000hsh.googlegroups.c om...
So what you mean is I write a web service to accept the user id and
pwd that they passed and do authorization, But how can I redirect them
to my member's home page after I validate user id and pwd?

Thanks for your help

On Jul 5, 12:08 pm, "Patrice" <http://www.chez.com/scribe/wrote:
AFAIK ASP.NET checks posted data to make sure that they are coming from a
page that was served by the same server.

I would just post to the same page and would transmit data behind the
scene
using a web service...

"rockdale" <rockdale.gr...@gmail.coma écrit dans le message de news:
1183650687.509733.262...@57g2000hsv.googlegroups.c om...
Hi, all:
I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?
Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.
We are trying to build their login page like following:
<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>
But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/in configuration or <%@
Page EnableEventValidation="true" %in a page.
I do not think Disable Event validation is a good idea.
Is there any other better approach?
Thanks a lot.- Hide quoted text -

- Show quoted text -


Jul 5 '07 #5

P: n/a
I've also used a solution for public domain "single sign on" scenarios where
we've delivered a "public key" to the customer to encrypt a user name and
password pair into a 64-bit hashed string and pass it back in the URL where
we would then unencrypt it and use the the credentials to authenticate the
user and auto-generate thier forms authentication ticket. It's a bit
elaborate but it works.

I like the web service and temporary GUID solution as well. That's one I've
never thought of before but seems rock solid if there's minimal trust
between the 2 environments for integration purposes.

"Patrice" <http://www.chez.com/scribe/wrote in message
news:OL**************@TK2MSFTNGP03.phx.gbl...
IMO *they* should redirect to your site based upon the web service result
(if credentials are not valid, they'll need to display the page
again).They'll likely then pass a guid associated with the user you
returned to them so that you know which user it is. Make sure this is a
temporary guid so that it is not usable for ages if stolen (changed at
least each time a new login request is issued).

Or else Chad solution that would be what you would do for your inhouse
servers (though I would likely prefer to be "explicit" about such a link
with external world).

Oh BTW, you may want to explain the overall goal as I'm not sure to have
caught the details (basically if all they do is hosting the login page you
could perhaps have a customized login page for them on your own web site
?). They are not using those credentials at all at their site ?

--
Patrice

"rockdale" <ro************@gmail.coma écrit dans le message de news:
11*********************@q75g2000hsh.googlegroups.c om...
So what you mean is I write a web service to accept the user id and
pwd that they passed and do authorization, But how can I redirect them
to my member's home page after I validate user id and pwd?

Thanks for your help

On Jul 5, 12:08 pm, "Patrice" <http://www.chez.com/scribe/wrote:
>AFAIK ASP.NET checks posted data to make sure that they are coming from a
page that was served by the same server.

I would just post to the same page and would transmit data behind the
scene
using a web service...

"rockdale" <rockdale.gr...@gmail.coma écrit dans le message de news:
1183650687.509733.262...@57g2000hsv.googlegroups. com...
Hi, all:
I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?
Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.
We are trying to build their login page like following:
<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>
But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/in configuration or <%@
Page EnableEventValidation="true" %in a page.
I do not think Disable Event validation is a good idea.
Is there any other better approach?
Thanks a lot.- Hide quoted text -

- Show quoted text -



Jul 5 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.