tags:

views:

33

answers:

2
Q: 

Is there a way to "sign" an HTTP Post in asp.net?

I have users with accounts on Site A. Site A has been around a long time, and it's expensive (but not impossible) to change its code.

Site B (I'm working on it now!) hosts a brand new web app for the customers of Site A. The Site B app has a list of the usernames from Site A, and maintains preferences and other information about each of those users that pertains to their usage of Site B. Site A and B are different platforms. I think Site A is coldfusion, and Site B is ASP.NET MVC.

I want users to be able to click a link in Site A that logs them into the app on Site B. I was thinking it might work like this:

0) If user tries to go straight to Site B, they just get redirected to Site A to be authenticated.

1) User logs into Site A.

2) Once logged into Site A, they can click a link that takes them to Site B. I was thinking I would do an HTTP Post from Site A to Site B with the username, so Site B knows who is logging in and how to render their pages based on their preferences.

Of course, I don't want any Joe Schmoe to be able to do an HTTP POST to Site B with a username and get to be logged in as that user.

So I was wondering if, using certificates or something, I could make it so Site B is able to know for certain that the POST really came from Site A. Do I need / Can I use certificates for this? Maybe Site A can somehow "sign" its post so Site B can know for sure the post came from Site A?

Or could just a password be enough, where Site A posts a password over SSL along with the username that only Site B knows?

I'm also open to the idea of Site A posting the username and a GUID to Site B, which Site B would then "ask" Site A via a web service if this is indeed a recent and valid GUID that did in fact originate at Site A, but that seems like a trip I can eliminate.

I hope that is descriptive enough. Please feel free to have me explain more. Thank you for your help. :)

A: 

You may like to look into OAuth.

Noon Silk  2009-09-30 03:46:22
Could the person who downvoted this give a reason? I haven't looked into OAuth, but it would be nice to know why this is a bad idea if it is a bad idea.
David Stratton  2009-09-30 03:51:52
+2  A: 

Another option would be..

  • User signs into site A.

  • Site A creates a guid that is associated with this user but will expire in 5 seconds or some short time frame.

  • The user is redirected to siteB?UserID=SomId&ConfirmationId=Some Guid

  • Site B calls a web service on Site A, passing the UserID and Guid and checks to see if this is a valid redirect. (The web service just returns a true or a false).

This solves your issue of trust, as site B is explicitly querying site A, so site B KNOWS that it is using Site A for authentication, and not just blindly trusting that the confirmation is coming from a redirect from site A.

Also, a Guid is unique enough that it's unlikely to be guessed by hackers, and finally, the expiration makes it so that if a hacker DOES guess the guid, it will likely have expired by the time it's been guessed.

Of course, you'll want this all done over SSL.

David Stratton  2009-09-30 03:48:50
Cool... this was my last idea (in my second-to-last paragraph). I think it's the most secure idea so far, but I was just hoping to get rid of that web service call. It's pretty lightweight, so if I can't get rid of it, I'll live! Thanks for your reply.
Chris  2009-09-30 03:53:34
Yeah, I guess I did give you an answer you had already provided. Sorry.
David Stratton  2009-09-30 04:02:58
That's ok! The fact that someone with 4000 rep conceived it independently provides me with much-needed validation. :)
Chris  2009-09-30 04:05:43
Guid's are unique but not cryptographically secure. This is unwise.
Noon Silk  2009-09-30 04:45:19
Silky, I am not sure what you mean by that. If you have a better answer, can you please post it?
Chris  2009-10-01 14:25:18

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps