What is the best way to login my website from another website?

Discussion in 'ASP .Net' started by rockdale, Jul 5, 2007.

  1. rockdale

    rockdale Guest

    Hi, all:

    I have a website with its own login page. Now one of my clients want
    their employees log into my website from their website. They want to
    have their login page (look and feel are different and hosted on
    another web server) and then send the user id and pwd to my login
    page. What is the best to do this?

    Pass the user id and pwd on the url is not a solution since everybody
    will see the user's credential.

    We are trying to build their login page like following:

    <form action="https://mywebsite/Login.aspx" id="form1" name="form1"
    method="post" action="" style="padding:0; margin:0;">
    <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
    value="" />
    <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
    value="" />
    <input name="txtUserID" type="text" size="18" />
    <input name="txtPWD" type="password" size="18" />
    <input name="Submit" type="submit" style="font-size: 10px;"
    value="Login" />
    </form>

    But we got the error
    Invalid postback or callback argument. Event validation is enabled
    using <pages enableEventValidation="true"/> in configuration or <%@
    Page EnableEventValidation="true" %> in a page.

    I do not think Disable Event validation is a good idea.

    Is there any other better approach?

    Thanks a lot.
    rockdale, Jul 5, 2007
    #1
    1. Advertising

  2. rockdale

    Patrice Guest

    AFAIK ASP.NET checks posted data to make sure that they are coming from a
    page that was served by the same server.

    I would just post to the same page and would transmit data behind the scene
    using a web service...



    "rockdale" <> a écrit dans le message de news:
    ...
    > Hi, all:
    >
    > I have a website with its own login page. Now one of my clients want
    > their employees log into my website from their website. They want to
    > have their login page (look and feel are different and hosted on
    > another web server) and then send the user id and pwd to my login
    > page. What is the best to do this?
    >
    > Pass the user id and pwd on the url is not a solution since everybody
    > will see the user's credential.
    >
    > We are trying to build their login page like following:
    >
    > <form action="https://mywebsite/Login.aspx" id="form1" name="form1"
    > method="post" action="" style="padding:0; margin:0;">
    > <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
    > value="" />
    > <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
    > value="" />
    > <input name="txtUserID" type="text" size="18" />
    > <input name="txtPWD" type="password" size="18" />
    > <input name="Submit" type="submit" style="font-size: 10px;"
    > value="Login" />
    > </form>
    >
    > But we got the error
    > Invalid postback or callback argument. Event validation is enabled
    > using <pages enableEventValidation="true"/> in configuration or <%@
    > Page EnableEventValidation="true" %> in a page.
    >
    > I do not think Disable Event validation is a good idea.
    >
    > Is there any other better approach?
    >
    > Thanks a lot.
    >
    Patrice, Jul 5, 2007
    #2
    1. Advertising

  3. rockdale

    rockdale Guest

    So what you mean is I write a web service to accept the user id and
    pwd that they passed and do authorization, But how can I redirect them
    to my member's home page after I validate user id and pwd?

    Thanks for your help

    On Jul 5, 12:08 pm, "Patrice" <http://www.chez.com/scribe/> wrote:
    > AFAIK ASP.NET checks posted data to make sure that they are coming from a
    > page that was served by the same server.
    >
    > I would just post to the same page and would transmit data behind the scene
    > using a web service...
    >
    > "rockdale" <> a écrit dans le message de news:
    > ...
    >
    >
    >
    > > Hi, all:

    >
    > > I have a website with its own login page. Now one of my clients want
    > > their employees log into my website from their website. They want to
    > > have their login page (look and feel are different and hosted on
    > > another web server) and then send the user id and pwd to my login
    > > page. What is the best to do this?

    >
    > > Pass the user id and pwd on the url is not a solution since everybody
    > > will see the user's credential.

    >
    > > We are trying to build their login page like following:

    >
    > > <form action="https://mywebsite/Login.aspx" id="form1" name="form1"
    > > method="post" action="" style="padding:0; margin:0;">
    > > <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
    > > value="" />
    > > <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
    > > value="" />
    > > <input name="txtUserID" type="text" size="18" />
    > > <input name="txtPWD" type="password" size="18" />
    > > <input name="Submit" type="submit" style="font-size: 10px;"
    > > value="Login" />
    > > </form>

    >
    > > But we got the error
    > > Invalid postback or callback argument. Event validation is enabled
    > > using <pages enableEventValidation="true"/> in configuration or <%@
    > > Page EnableEventValidation="true" %> in a page.

    >
    > > I do not think Disable Event validation is a good idea.

    >
    > > Is there any other better approach?

    >
    > > Thanks a lot.- Hide quoted text -

    >
    > - Show quoted text -
    rockdale, Jul 5, 2007
    #3
  4. rockdale

    Chad Scharf Guest

    If your customer's site is a trusted site and the only one served by your
    application you could give them a generated <machineKey /> tag for thier
    site's web config to match your site's web.config. That would spoof your app
    into passing the post from thier login page as if it had come from the same
    server.

    This is assuming of course that thier web site is an ASP.NET web site or at
    least an IIS hosted web site that can be configured using the .NET framework
    and a web.config file.

    "Patrice" <http://www.chez.com/scribe/> wrote in message
    news:...
    > AFAIK ASP.NET checks posted data to make sure that they are coming from a
    > page that was served by the same server.
    >
    > I would just post to the same page and would transmit data behind the
    > scene using a web service...
    >
    >
    >
    > "rockdale" <> a écrit dans le message de news:
    > ...
    >> Hi, all:
    >>
    >> I have a website with its own login page. Now one of my clients want
    >> their employees log into my website from their website. They want to
    >> have their login page (look and feel are different and hosted on
    >> another web server) and then send the user id and pwd to my login
    >> page. What is the best to do this?
    >>
    >> Pass the user id and pwd on the url is not a solution since everybody
    >> will see the user's credential.
    >>
    >> We are trying to build their login page like following:
    >>
    >> <form action="https://mywebsite/Login.aspx" id="form1" name="form1"
    >> method="post" action="" style="padding:0; margin:0;">
    >> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
    >> value="" />
    >> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
    >> value="" />
    >> <input name="txtUserID" type="text" size="18" />
    >> <input name="txtPWD" type="password" size="18" />
    >> <input name="Submit" type="submit" style="font-size: 10px;"
    >> value="Login" />
    >> </form>
    >>
    >> But we got the error
    >> Invalid postback or callback argument. Event validation is enabled
    >> using <pages enableEventValidation="true"/> in configuration or <%@
    >> Page EnableEventValidation="true" %> in a page.
    >>
    >> I do not think Disable Event validation is a good idea.
    >>
    >> Is there any other better approach?
    >>
    >> Thanks a lot.
    >>

    >
    >
    Chad Scharf, Jul 5, 2007
    #4
  5. rockdale

    Patrice Guest

    IMO *they* should redirect to your site based upon the web service result
    (if credentials are not valid, they'll need to display the page
    again).They'll likely then pass a guid associated with the user you returned
    to them so that you know which user it is. Make sure this is a temporary
    guid so that it is not usable for ages if stolen (changed at least each time
    a new login request is issued).

    Or else Chad solution that would be what you would do for your inhouse
    servers (though I would likely prefer to be "explicit" about such a link
    with external world).

    Oh BTW, you may want to explain the overall goal as I'm not sure to have
    caught the details (basically if all they do is hosting the login page you
    could perhaps have a customized login page for them on your own web site ?).
    They are not using those credentials at all at their site ?

    --
    Patrice

    "rockdale" <> a écrit dans le message de news:
    ...
    So what you mean is I write a web service to accept the user id and
    pwd that they passed and do authorization, But how can I redirect them
    to my member's home page after I validate user id and pwd?

    Thanks for your help

    On Jul 5, 12:08 pm, "Patrice" <http://www.chez.com/scribe/> wrote:
    > AFAIK ASP.NET checks posted data to make sure that they are coming from a
    > page that was served by the same server.
    >
    > I would just post to the same page and would transmit data behind the
    > scene
    > using a web service...
    >
    > "rockdale" <> a écrit dans le message de news:
    > ...
    >
    >
    >
    > > Hi, all:

    >
    > > I have a website with its own login page. Now one of my clients want
    > > their employees log into my website from their website. They want to
    > > have their login page (look and feel are different and hosted on
    > > another web server) and then send the user id and pwd to my login
    > > page. What is the best to do this?

    >
    > > Pass the user id and pwd on the url is not a solution since everybody
    > > will see the user's credential.

    >
    > > We are trying to build their login page like following:

    >
    > > <form action="https://mywebsite/Login.aspx" id="form1" name="form1"
    > > method="post" action="" style="padding:0; margin:0;">
    > > <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
    > > value="" />
    > > <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
    > > value="" />
    > > <input name="txtUserID" type="text" size="18" />
    > > <input name="txtPWD" type="password" size="18" />
    > > <input name="Submit" type="submit" style="font-size: 10px;"
    > > value="Login" />
    > > </form>

    >
    > > But we got the error
    > > Invalid postback or callback argument. Event validation is enabled
    > > using <pages enableEventValidation="true"/> in configuration or <%@
    > > Page EnableEventValidation="true" %> in a page.

    >
    > > I do not think Disable Event validation is a good idea.

    >
    > > Is there any other better approach?

    >
    > > Thanks a lot.- Hide quoted text -

    >
    > - Show quoted text -
    Patrice, Jul 5, 2007
    #5
  6. rockdale

    Chad Scharf Guest

    I've also used a solution for public domain "single sign on" scenarios where
    we've delivered a "public key" to the customer to encrypt a user name and
    password pair into a 64-bit hashed string and pass it back in the URL where
    we would then unencrypt it and use the the credentials to authenticate the
    user and auto-generate thier forms authentication ticket. It's a bit
    elaborate but it works.

    I like the web service and temporary GUID solution as well. That's one I've
    never thought of before but seems rock solid if there's minimal trust
    between the 2 environments for integration purposes.

    "Patrice" <http://www.chez.com/scribe/> wrote in message
    news:...
    > IMO *they* should redirect to your site based upon the web service result
    > (if credentials are not valid, they'll need to display the page
    > again).They'll likely then pass a guid associated with the user you
    > returned to them so that you know which user it is. Make sure this is a
    > temporary guid so that it is not usable for ages if stolen (changed at
    > least each time a new login request is issued).
    >
    > Or else Chad solution that would be what you would do for your inhouse
    > servers (though I would likely prefer to be "explicit" about such a link
    > with external world).
    >
    > Oh BTW, you may want to explain the overall goal as I'm not sure to have
    > caught the details (basically if all they do is hosting the login page you
    > could perhaps have a customized login page for them on your own web site
    > ?). They are not using those credentials at all at their site ?
    >
    > --
    > Patrice
    >
    > "rockdale" <> a écrit dans le message de news:
    > ...
    > So what you mean is I write a web service to accept the user id and
    > pwd that they passed and do authorization, But how can I redirect them
    > to my member's home page after I validate user id and pwd?
    >
    > Thanks for your help
    >
    > On Jul 5, 12:08 pm, "Patrice" <http://www.chez.com/scribe/> wrote:
    >> AFAIK ASP.NET checks posted data to make sure that they are coming from a
    >> page that was served by the same server.
    >>
    >> I would just post to the same page and would transmit data behind the
    >> scene
    >> using a web service...
    >>
    >> "rockdale" <> a écrit dans le message de news:
    >> ...
    >>
    >>
    >>
    >> > Hi, all:

    >>
    >> > I have a website with its own login page. Now one of my clients want
    >> > their employees log into my website from their website. They want to
    >> > have their login page (look and feel are different and hosted on
    >> > another web server) and then send the user id and pwd to my login
    >> > page. What is the best to do this?

    >>
    >> > Pass the user id and pwd on the url is not a solution since everybody
    >> > will see the user's credential.

    >>
    >> > We are trying to build their login page like following:

    >>
    >> > <form action="https://mywebsite/Login.aspx" id="form1" name="form1"
    >> > method="post" action="" style="padding:0; margin:0;">
    >> > <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET"
    >> > value="" />
    >> > <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT"
    >> > value="" />
    >> > <input name="txtUserID" type="text" size="18" />
    >> > <input name="txtPWD" type="password" size="18" />
    >> > <input name="Submit" type="submit" style="font-size: 10px;"
    >> > value="Login" />
    >> > </form>

    >>
    >> > But we got the error
    >> > Invalid postback or callback argument. Event validation is enabled
    >> > using <pages enableEventValidation="true"/> in configuration or <%@
    >> > Page EnableEventValidation="true" %> in a page.

    >>
    >> > I do not think Disable Event validation is a good idea.

    >>
    >> > Is there any other better approach?

    >>
    >> > Thanks a lot.- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    >
    >
    Chad Scharf, Jul 5, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. William F. Robertson, Jr.
    Replies:
    0
    Views:
    430
    William F. Robertson, Jr.
    Jul 2, 2003
  2. Ashraf Fouad
    Replies:
    0
    Views:
    351
    Ashraf Fouad
    May 22, 2004
  3. Dav Tan
    Replies:
    4
    Views:
    9,675
    Steven Cheng[MSFT]
    Apr 28, 2006
  4. JJ
    Replies:
    1
    Views:
    383
  5. Eddy Xu
    Replies:
    5
    Views:
    112
    Eddy Xu
    Apr 11, 2008
Loading...

Share This Page