What is the best way to login my website from another website?


R

rockdale

Hi, all:

I have a website with its own login page. Now one of my clients want
their employees log into my website from their website. They want to
have their login page (look and feel are different and hosted on
another web server) and then send the user id and pwd to my login
page. What is the best to do this?

Pass the user id and pwd on the url is not a solution since everybody
will see the user's credential.

We are trying to build their login page like following:

<form action="https://mywebsite/Login.aspx" id="form1" name="form1"
method="post" action="" style="padding:0; margin:0;">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
value="" />
<input name="txtUserID" type="text" size="18" />
<input name="txtPWD" type="password" size="18" />
<input name="Submit" type="submit" style="font-size: 10px;"
value="Login" />
</form>

But we got the error
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/> in configuration or <%@
Page EnableEventValidation="true" %> in a page.

I do not think Disable Event validation is a good idea.

Is there any other better approach?

Thanks a lot.
 
Ad

Advertisements

P

Patrice

AFAIK ASP.NET checks posted data to make sure that they are coming from a
page that was served by the same server.

I would just post to the same page and would transmit data behind the scene
using a web service...
 
R

rockdale

So what you mean is I write a web service to accept the user id and
pwd that they passed and do authorization, But how can I redirect them
to my member's home page after I validate user id and pwd?

Thanks for your help
 
C

Chad Scharf

If your customer's site is a trusted site and the only one served by your
application you could give them a generated <machineKey /> tag for thier
site's web config to match your site's web.config. That would spoof your app
into passing the post from thier login page as if it had come from the same
server.

This is assuming of course that thier web site is an ASP.NET web site or at
least an IIS hosted web site that can be configured using the .NET framework
and a web.config file.
 
P

Patrice

IMO *they* should redirect to your site based upon the web service result
(if credentials are not valid, they'll need to display the page
again).They'll likely then pass a guid associated with the user you returned
to them so that you know which user it is. Make sure this is a temporary
guid so that it is not usable for ages if stolen (changed at least each time
a new login request is issued).

Or else Chad solution that would be what you would do for your inhouse
servers (though I would likely prefer to be "explicit" about such a link
with external world).

Oh BTW, you may want to explain the overall goal as I'm not sure to have
caught the details (basically if all they do is hosting the login page you
could perhaps have a customized login page for them on your own web site ?).
They are not using those credentials at all at their site ?

--
Patrice

"rockdale" <[email protected]> a écrit dans le message de (e-mail address removed)...
So what you mean is I write a web service to accept the user id and
pwd that they passed and do authorization, But how can I redirect them
to my member's home page after I validate user id and pwd?

Thanks for your help
 
Ad

Advertisements

C

Chad Scharf

I've also used a solution for public domain "single sign on" scenarios where
we've delivered a "public key" to the customer to encrypt a user name and
password pair into a 64-bit hashed string and pass it back in the URL where
we would then unencrypt it and use the the credentials to authenticate the
user and auto-generate thier forms authentication ticket. It's a bit
elaborate but it works.

I like the web service and temporary GUID solution as well. That's one I've
never thought of before but seems rock solid if there's minimal trust
between the 2 environments for integration purposes.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top