We have a client/server application with a rich client front end (in .Net) and also an administration portal (Asp.Net). Currently users have to sign on in both the rich client and on the website. We'd like to enable them to sign into the rich client, but not have to sign on to the website if they launch it from within the client. How can we do that?
Going the other way is less important, but would be nice if possible: signing on to the website, then not having to sign into the rich client.
You could add a token, to identify them, to the URL which opens the site.
You'll have to add some security to the token: TTL, a hash, a salt
A possible solution is:
Make sure there is a timeout on the token, say 2-5 minutes, to ensure it is authentic.
simple token solutions suffer from a design flaw: you will have some sort of secret that can be reverse-engineered if wanted. this can be avoided entirely if dome correct.
i would propose a challenge-response algorithm.
*) user loggs in to rich client with pw
*) from salt+password a sha256 or similar hash is calculated. (Hash A)
*) user klicks "go to website" link.
*) a http response is started (such as as a webservice), user fetches "get ticket number" for user account. this ticket will be valid for a short time (some minutes)
*) client calculates hash(HashA+ticket) HashB
*) finally - browser is pointed to www.example.org/?username=donkey&key=99754106633f94d350db34d548d6091a
*) server checks if his calculated hash is the same as the one submitted.
advantages of this method:
-server never knows password, only salted hash.
-even the hash is never transmitted through the wire -> no replay attacks.