How to send data securely over a public channel?

Question

Hi! I have a smart client application being deployed with a CickOnce webpage.

here's the current scenario.

1.User runs the application, and the application shows a login form.
2.User enters ID/Password in the login form, and the application sends that information to the server.
3.The server authenticates the user and sends configuration and data to the application. Different users have different configuration and data for their application.

I was concerned that anyone can download the application from the webpage if they know the URL.

So I'm trying to change the authentication scheme, so that users can login at the webpage to download the application.

I want to send the authentication info from the webpage(Program running at the server) to the smart client app, so that application can download the configuration information from the server, without prompting users to make a login again.

How can the webpage send the ID/Passoword to the application securely?

Answer 1

First, there is no easy way to make website send data to application in the client side. you can try to use javascript or ActiveX to execute it with parameters after the login to the webpage, but yet - it required the client to give the webpage some trust.

So, you have to make the application "ping" the server every few seconds when in standby mode (or use some kind of COMET to avoid unnecessary bandwidth usage), and when the user login in his browser, make sure that the data is available for the next time the application "ping" the server for the data, or if you chose COMET - just send the data to the app and close the connection. You can use the IP of the client as some short-time identifier to know that the login in the web page and the application are in the same client.

Hope it helps.