umer umer - 1 month ago 9
ASP.NET (C#) Question

open webpage from within a desktop application with arguments as username and password

I have a developed an asp.net web application which a user can access and login to by providing a username password. Now I have to develop a Windows Form Application in which the user can also login to using the same credentials as my web application. By clicking a button in the application, I want it to open the browser and navigate the user to the web application and automatically login to my web application with same credentials. But my problem is how do I pass the credentials to my web app?

I am using Process.Start("http://localhost:8080/myAppLogin.aspx") to open up the browser and load my login page. I can pass the credentials in query string with encrypted format but that doesn't sound like a safe method of doing it. I want to pass the credentials to my webpage with some more secure method.

Any suggestions?

This question was incorrectly edited and lost some meaningful information in it. I have re edit the question below

Edit

I have a developed an asp.net web application which a user can access and login to by providing a username password. Now I have to develop a Windows Form Application.The Win Form application contains the user's Web App Credentials in a File.There's a button in my Win Form App and I want the user to login into my web app by click onto this button e.g By clicking a button in the Win Form application, I want it to open the browser and navigate the user to the web application and automatically login to my web application. But my problem is how do I pass the credentials to my web app?

I am using

Process.Start("http://localhost:8080/myAppLogin.aspx")
to open up the browser and load my login page. I can pass the credentials in query string with encrypted format but that doesn't sound like a safe method of doing it. I want to pass the credentials to my webpage with some more secure method.

Any suggestions?

Note: My Win Form Application can't access my Web App Database.

Answer

Solution 1: Assuming you want to roll your own

OK, so I am assuming here that both WinForms application and ASP.NET application have access to the same DB as you mention that you can log in from either.

So that being the case create yourself a table AuthTokens with the following fields:

AuthToken UserName

Create a pre-shared key that is known to both the WinForms and ASP.NET application.

In the Winforms app authenticate the user as usual. Upon successful authentication:

  1. Encrypt the username with the shared key ==> userEncrypted
  2. Create an MD5 hash of userEncrypted ==> authToken

Add record to AuthTokens table:

INSERT INTO AuthTokens (AuthToken, UserName) VALUES (authToken, userEncrypted)

Then call POST "http://localhost:8080/autoLogin with the authToken as part of the headers or body (your choice) and use the PostRedirectGet pattern to send the request to your WebForms application.

In the WebForms application you then:

  1. Retrieve the authToken from the POST
  2. Find the authToken in the AuthTokens table
  3. Decrypt the UserName field from the table using the shared key ==> unencryptedUserName
  4. Use the unencryptedUserName to log the user in
  5. Upon success/failure do a redirect to the GET page of your choice. Take into account ALL conditions - token not found, MD5 of decrypted user does not match authToken etc. etc

Notes:

  • Doing a POST means no query strings and passing stuff "easily visible". It will still be visible to someone sniffing your traffic
  • At no point do you ever store anything unencrypted - EVER
  • At no point do you ever send anything over the wire that is REVERSIBLE - EVER
  • You only send an MD5 hash as this is not reversible
  • You still need a shared secret key (PSK) which is a pain. You could store this in the DB if that was secure

Whatever you do make sure you are careful as you implement things as it is easy to get this wrong.

Extensions:

  • You could look at public/private key encryption which would avoid the PSK
  • Your communication should be HTTPS and not HTTP
  • You could get clever with the expiry of the auth tokens - One time use, time expiry etc. etc.

Solution 2 - Use OAuth it was designed for exactly the scenario you describing.

Solution 2.1 - Implement your own authentication service

For example https://github.com/IdentityServer/IdentityServer3, but there are others.

Solution 3 - Find a SaaS solution that will do single sign on and user management for you

Google will be your friend here as I cannot recommend any without violating SO policies.