GBGY
|
Posted: 04/10/2005, 6:43 AM |
|
Hi, all
is it be possible to modify a Login page which transfer from other web site where the Login name and password is passing from the referred site
e.g I had logged in http://www.mysite1.com with username abc, password with abc and where I have a link in this site to redirect to http://www.mysite2.com/Login.asp?username=abc,password=abc then the Login page in http://www.mysite2.com/Login.aspx will automatic validate the request
If possible, please post code or how?
Many Thanks
|
|
|
rclayh
Posts: 8
|
Posted: 04/11/2005, 7:10 AM |
|
It's not secure if you pass the login and password in the query string. It is possible to bypass the login page (or rather autologin) again only in an enviroment where security is lower priority. All you would have to do in CodeCharge is redirect them to any page in your site that requires a login. This will invoke the CCS login page. If I was doing it, I would probably set a couple of session variables login and password. Here is a code snippet I created in the Before Show page event.
'Pull the identity from the windows login
Dim CurrentUser as String = Web.HttpContext.Current.User.Identity.Name.ToString()
'End Pull Identity
If InStr(CurrentUser,"IUSR") Then
'They are not logged in as a specific user load the login form
Else
'Need to split the CurrentUser at the \
Dim myIndex as Integer = CurrentUser.IndexOf("\")
CurrentUser = CurrentUser.Remove(0,myIndex + 1)
Dim myUserPassword as String = Settings.conHelpDeskSQLDataAccessObject.ExecuteScalar("SELECT UserPassword FROM Personnel WHERE UserName='"& CurrentUser & "'").ToString
'Here is the code that bypasses actually having to login....
If DBUtility.CheckUser(CurrentUser, myUserPassword) Then
If Not(HttpContext.Current.Request("ret_link") is Nothing) Then
If Not(HttpContext.Current.Request("ret_link")="") Then
Response.Redirect(HttpContext.Current.Request("ret_link"))
End If
End If
End If
End If
'End snippet
In this snippet I'm assuming if they passed windows security they are OK and I'm just pulling their password from the database. I' m performing the same validation that CodeCharge's login button does and invoking the redirect back to the calling page.
No separate login required - if they passed windows security and they are in the user database they can use the app, no problem.
Hope this helps.
Clay
|
|
|
|