Forcing An Authorize in Forms Authentication

[Guest]

I'm trying to force a user to be authorized in forms authentication by
extending the login control class and overriding the OnAuthorize function. I
set my eventArgs.Authorized = true but I'm not sure what to do with it at
that point.

I don't want the user to have to type anything into a login control, (they
are passing a login token via a QueryStringParameter) if it's valid I need
them to be logged in automatically.

Has anyone ever done something like this before? Any advice on how to make
it work?
Thanks,
Matt Bell

 

[Guest]

Matt,
First of all, the practice of passing any kind of authentication information
- be it usernames, passwords, or "Login tokens" on the querystring is a bad
practice from a security standpoint.

However assuming that you either do not care about this or it is not
important in your particular scenario, what I would do is use the login token
to look up the person's username and password or password hash, and call the
Authenticate method yourself for the user, programmatically.

There is plenty of sample code around on how to create a valid forms auth
ticket and call the login method.
Peter