D
daokfella
I have a Login.aspx page that takes care of all my login procedures
(validation, lockouts, password change requirements, password
retrieval, etc.) It works like a charm. However, now I'd like a "quick
login" control to appear in the banner at the top of my master page.
This control will just have a username and password textbox and login
button. I want to reuse all the same code. Plus, if the credentials
are incorrect, or additional actions are needed (e.g., a required
password change), I'd like the user to land on my normal Login page to
perform all the actions.
I don't want to have to duplicate any login code. My initial attempt
is by using Server.Transfer in the click event of the login button of
my "quick login" control. In the Page_Load (not postback) of my normal
Login page, I sniff out any username/password form fields. If they
exist, I assign them to the username and password fields of the login
page and simply call the btnLogin_Click() method. This works great. If
the login is successul, btnClick_Login() redirects the user to the
ReturnUrl querystring value (which I also pass with server.transfer).
If it's not, or additional measures are needed, the user remains on my
Login.aspx page and the code handles evrything else.
However, MSDN docs say not to pass sensitive information such as CC
numbers or passwords when using Server.Transfer. My question is, why
not? How is transferring the request from one page in my app to
another any less secure than the user entering the fields and
submitting them like usual? If anything, I could encrypt the password
before the server transfer which would then be decrypted by the Login
page. But is it really necessary?
If there is a better way to accomplish what I'm trying to do, please
let me know.
Thanks,
Jason
(validation, lockouts, password change requirements, password
retrieval, etc.) It works like a charm. However, now I'd like a "quick
login" control to appear in the banner at the top of my master page.
This control will just have a username and password textbox and login
button. I want to reuse all the same code. Plus, if the credentials
are incorrect, or additional actions are needed (e.g., a required
password change), I'd like the user to land on my normal Login page to
perform all the actions.
I don't want to have to duplicate any login code. My initial attempt
is by using Server.Transfer in the click event of the login button of
my "quick login" control. In the Page_Load (not postback) of my normal
Login page, I sniff out any username/password form fields. If they
exist, I assign them to the username and password fields of the login
page and simply call the btnLogin_Click() method. This works great. If
the login is successul, btnClick_Login() redirects the user to the
ReturnUrl querystring value (which I also pass with server.transfer).
If it's not, or additional measures are needed, the user remains on my
Login.aspx page and the code handles evrything else.
However, MSDN docs say not to pass sensitive information such as CC
numbers or passwords when using Server.Transfer. My question is, why
not? How is transferring the request from one page in my app to
another any less secure than the user entering the fields and
submitting them like usual? If anything, I could encrypt the password
before the server transfer which would then be decrypted by the Login
page. But is it really necessary?
If there is a better way to accomplish what I'm trying to do, please
let me know.
Thanks,
Jason