Window Forms vs Web Forms

[lphan]

Hi there,
The project that I'm working on is a securty piece of n-tier
applications which try to authenticate a user. The login page, either a
web form or windows form, calls a web service (thin layer) that
actually evoke a business object to authenticate user.
In the internet application after the user credentials are verified,
the user id is saved in cookies so it can be referred later by the
business class using httpcontext. I would like the winform application
behaves similarly like that but don't know how.

1. How can the business class differentiate the web and windows
applications?
2. Is there anything like httpcontext to store information in winform
app so the security info doesn't have to be passed around?

Your help would be much apprecicated.
LNP

 

[Marc]

LNP,

1. A lot of what you are trying to accomplish depends on your
environment. If this is an internal application, then you have
siginificantly more control of how to resolve this. For example, you
can set up a virtual dir to point to specific port on your webserver
and then you can use Request.UserHostAddress to see if the user is
coming from a windows app or not. Similarly, you can specify
querystring parameters to the WS request and parse that for the
infomation you need. Assuming you don't have as much control, you
could pass a simple object to the WS telling it from where the request
is coming. The last approach is the probably the way I would approach
it so that I could make the object contain as much or as little
infomation as I would need.

2. Yes, WinForms come with a similar mechanism to cookies. Its called
IsoStores. IsoStores are located on the harddrive but are buried deep
and are dynamic so it would take some considerable effort to
find/modify. Here is a code sample to help:

using System.IO.IsolatedStorage;
using System.Security.Principal;
using System.IO;

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
try
{
IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(IsolatedStorageScope.User,
WindowsIdentity.GetCurrent());
IsolatedStorageFileStream file = new
IsolatedStorageFileStream("/", System.IO.FileMode.Create);
StreamWriter sw = new StreamWriter(file);
sw.Write("SomeStuff Here");



}
catch (Exception err)
{
MessageBox.Show( err.Message );
}

You can also use a StreamReader to read from the
IsolatedFileStorageStream. Good luck!

Marc
MCP.NET, MCAD.NET

http://www.statera.com

 

[lphan]

LNP,

1. A lot of what you are trying to accomplish depends on your
environment. If this is an internal application, then you have
siginificantly more control of how to resolve this. For example, you
can set up a virtual dir to point to specific port on your webserver
and then you can use Request.UserHostAddress to see if the user is
coming from a windows app or not. Similarly, you can specify
querystring parameters to the WS request and parse that for the
infomation you need. Assuming you don't have as much control, you
could pass a simple object to the WS telling it from where the request
is coming. The last approach is the probably the way I would approach
it so that I could make the object contain as much or as little
infomation as I would need.

2. Yes, WinForms come with a similar mechanism to cookies. Its called
IsoStores. IsoStores are located on the harddrive but are buried deep
and are dynamic so it would take some considerable effort to
find/modify. Here is a code sample to help:

using System.IO.IsolatedStorage;
using System.Security.Principal;
using System.IO;

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
try
{
IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(IsolatedStorageScope.User,
WindowsIdentity.GetCurrent());
IsolatedStorageFileStream file = new
IsolatedStorageFileStream("/", System.IO.FileMode.Create);
StreamWriter sw = new StreamWriter(file);
sw.Write("SomeStuff Here");



}
catch (Exception err)
{
MessageBox.Show( err.Message );
}

You can also use a StreamReader to read from the
IsolatedFileStorageStream. Good luck!

Marc
MCP.NET, MCAD.NET

http://www.statera.com

 

[TerryFei]

Hi LNP,

Thanks for Marc's reply. I just wanted to check how things are going and
whether or not Marc's suggestin solve your problem.

If there is any question, please feel free to join the community and we are
here to support you at your convenience. Thanks again and have a nice day.

Best Regards,

Terry Fei[MSFT]
Microsoft Community Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[lphan]

Hi Marc,
Thank you for your response, I was busy lately with other stuffs so
could not reply right away. Anyway, here is a little background of my
previous question.
In our current web application after a user logins, his info is saved
in cookies (client side) so that later on the user object (server side)
can be created by using httpcontext.User.Identity with no need to pass
any parameters (for security reason).
Now we would like to apply the same mechanism for our internal windows
forms application which uses the same business objects as the web app.
The user class resides on the server while the user info is saved on
the client machine, therefore I'm not sure how IsoStores would work.
Any ideas?
Thanks,
LNP

 

[lphan]

Hi Marc,
Thank you for your response, I was busy lately with other stuffs so
could not reply right away. Anyway, here is a little background of my
previous question.
In our current web application after a user logins, his info is saved
in cookies (client side) so that later on the user object (server side)
can be created by using httpcontext.User.Identity with no need to pass
any parameters (for security reason).
Now we would like to apply the same mechanism for our internal windows
forms application which uses the same business objects as the web app.
The user class resides on the server while the user info is saved on
the client machine, therefore I'm not sure how IsoStores would work.
Any ideas?
Thanks,
LNP

 

[Steven Cheng[MSFT]]

Hi LNP,

Thanks for your followup.
Based on Marc's suggest and your scenario, here are some of my
understanding:

1. Surely windows form application will have different model than web form
application. Generally for winform application, we do not maintain such
peruser info through some storage like the "cookie" for webform. Since
winform app is a rich client based, we can force the user the authenticate
each time he launch the winform application and during the winform's
executing lifecycle, the authenticated ticket is held in-memory and help
the current user to avoid reauthenticate...

2. And as for Iso Store( IsolatedStorage) Marc mentioned, it is providing
by the windows operating system since each windows user (logon
interactively) will have his own UserProfile.... (under Document Settings
location....), so .NET has encapulate the API for accessing or storing in
such Windows user specific location.... However, in you scenario, your
application's Authentication is based on your custom database rather than
windows user, yes? This means that when a certain windows user logon the
computer and it use your winform application and authenticate with a
certain account(application specific), it has no relation with his current
windows account. So if we need to use IsolatedStorage, we should notice
this point, and consider how to manage different application specific user
data stored in windows user specific storage...( IsolatedStorge....).

Please feel free to post here if you have any other ideas or
consideration...

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| From: (e-mail address removed)
| Newsgroups: microsoft.public.dotnet.languages.csharp
| Subject: Re: Window Forms vs Web Forms
| Date: 16 Nov 2005 09:43:07 -0800
| Organization: http://groups.google.com
| Lines: 87
| Message-ID: <[email protected]>
| References: <[email protected]>
| <[email protected]>
| NNTP-Posting-Host: 157.199.12.124
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1132162992 27041 127.0.0.1 (16 Nov 2005
17:43:12 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Wed, 16 Nov 2005 17:43:12 +0000 (UTC)
| In-Reply-To: <[email protected]>
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322; .NET CLR 2.0.50215),gzip(gfe),gzip(gfe)
| Complaints-To: (e-mail address removed)
| Injection-Info: g14g2000cwa.googlegroups.com; posting-host=157.199.12.124;
| posting-account=4hEkeA0AAABnGCGJV3EH4nrVhfM9Pmrz
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!postnews.google.com!g14g2000cwa.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.languages.csharp:365424
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Hi Marc,
| Thank you for your response, I was busy lately with other stuffs so
| could not reply right away. Anyway, here is a little background of my
| previous question.
| In our current web application after a user logins, his info is saved
| in cookies (client side) so that later on the user object (server side)
| can be created by using httpcontext.User.Identity with no need to pass
| any parameters (for security reason).
| Now we would like to apply the same mechanism for our internal windows
| forms application which uses the same business objects as the web app.
| The user class resides on the server while the user info is saved on
| the client machine, therefore I'm not sure how IsoStores would work.
| Any ideas?
| Thanks,
| LNP
|
| Marc wrote:
| > LNP,
| >
| > 1. A lot of what you are trying to accomplish depends on your
| > environment. If this is an internal application, then you have
| > siginificantly more control of how to resolve this. For example, you
| > can set up a virtual dir to point to specific port on your webserver
| > and then you can use Request.UserHostAddress to see if the user is
| > coming from a windows app or not. Similarly, you can specify
| > querystring parameters to the WS request and parse that for the
| > infomation you need. Assuming you don't have as much control, you
| > could pass a simple object to the WS telling it from where the request
| > is coming. The last approach is the probably the way I would approach
| > it so that I could make the object contain as much or as little
| > infomation as I would need.
| >
| > 2. Yes, WinForms come with a similar mechanism to cookies. Its called
| > IsoStores. IsoStores are located on the harddrive but are buried deep
| > and are dynamic so it would take some considerable effort to
| > find/modify. Here is a code sample to help:
| >
| > using System.IO.IsolatedStorage;
| > using System.Security.Principal;
| > using System.IO;
| >
| > ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
| > try
| > {
| > IsolatedStorageFile isoFile =
| > IsolatedStorageFile.GetStore(IsolatedStorageScope.User,
| > WindowsIdentity.GetCurrent());
| > IsolatedStorageFileStream file = new
| > IsolatedStorageFileStream("/", System.IO.FileMode.Create);
| > StreamWriter sw = new StreamWriter(file);
| > sw.Write("SomeStuff Here");
| >
| >
| >
| > }
| > catch (Exception err)
| > {
| > MessageBox.Show( err.Message );
| > }
| >
| > You can also use a StreamReader to read from the
| > IsolatedFileStorageStream. Good luck!
| >
| > Marc
| > MCP.NET, MCAD.NET
| >
| > http://www.statera.com
| >
| > (e-mail address removed) wrote:
| > > Hi there,
| > > The project that I'm working on is a securty piece of n-tier
| > > applications which try to authenticate a user. The login page, either
a
| > > web form or windows form, calls a web service (thin layer) that
| > > actually evoke a business object to authenticate user.
| > > In the internet application after the user credentials are verified,
| > > the user id is saved in cookies so it can be referred later by the
| > > business class using httpcontext. I would like the winform application
| > > behaves similarly like that but don't know how.
| > >
| > > 1. How can the business class differentiate the web and windows
| > > applications?
| > > 2. Is there anything like httpcontext to store information in winform
| > > app so the security info doesn't have to be passed around?
| > >
| > > Your help would be much apprecicated.
| > > LNP
|
|