Unless you’re going to embed your SL app in a little corner of your home page, you will presumably be offering the user the ability to input their username and password from a DHTML-based login box. Go to the GMail homepage to see an example of putting a small login in the corner of a homepage — I know, gmail doesn’t use SL to power the gmail client, but you can close your eyes and pretend 😉
The question then is: how do we get these credentials safely to your Silverlight app?
Step 1: Post the login info to the webpage hosting your your Silverlight app.
Use something like the following html on the page you want to login from:
<form action=”./App/default.aspx” method=”post”>
<table>
<tr>
<td>Username:</td>
<td><input type=”text” name=”username” /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type=”password” name=”password” /></td>
</tr>
</table>
<div><input type=”submit” value=”Login” /></div>
</form>
WARNING: Always use HTTPS. Otherwise, the username and password will be totally unprotected when being sent over the internet.
Step 2: Pass a protected version of the login information to your Silverlight xap.
In the server-side script that handles the post (and hosts your Silverlight app), you can easily pass information down to the client thru a number of ways.
1) Putting the information in the querystring.
2) Putting the information in a cookie.
3) Embedding the information in the initParams parameter of the Object tag that contains your Silverlight app (this can be done indirectly by setting the InitParameters property of the ASP.NET Silverlight control).
Check out Tim Heuer’s video for more info on options 1 and 3.
Here’s where it gets tricky… Regardless of which approach we choose, we must take care when the information we’re passing along is the user’s password! In all 3 methods above, the information passed along is ultimately saved somewhere unencrypted on the user’s hard drive. Not good! In the first option (the querystring), the information can be seen in the browser history because it is part of the url and the browser remembers this info by storing it in a file somewhere on the user’s hard drive. Cookies are also stored as unencrypted data on the user’s harddrive, as is any html page source when it is cached. That’s right: Setting initParams puts that data right in your HTML only to be cached on the user’s harddrive.
Therefore, we need to find a good way to keep the user’s data protected. Here are three options (with one clear winner).
1) Encrypt the password. While this helps make sure that only an encrypted password ends up on the user’s drivedrive, consider this: Either you would need to unencrypt the password on the client before sending it up to the server (which means you have to put your encryption key in your code – NOT GOOD) or you’d have to create a webservice that can accept an encrypted password as a way to login… which means that your encrypted password would be just as useful for logging on as the real thing! Either way, you leave a hole that could be exploited.
2) Hash the password (presumably exactly the way you would hash the password before storing it in the database). However, this creates the same problem as mentioned above with encryption, for this to be useful as a login credential, you would have to have a webservice that could use the hashed password as a valid login credential which would make the hashed password just as valuable as the real deal.
3) The clear winner: Create and send down a token or session ID that can be used to look up their login information one time only. First off, this is better because no variation of the password is actually stored on the user’s harddrive, just a random ID (a bonus because given enough resources, any encrypted data can technically still be cracked). Secondly, this token or session Id would be destroyed almost immediately after it was issued so even if someone did get ahold of it, it would almost certainly be useless by that point.
Step 3: Retrieve the username and password from Silverlight.
We can see the finish line! The only thing left to do is retrieve the token or session ID from within your Silverlight app and pass that up to the server instead of the username and password. If you passed your token thru the query string you can access it from within Silverlight via the QueryString dictionary object:
Dim LoginToken As String = System.Windows.Browser.HtmlPage.Document.QueryString("LoginToken")
If you passed it via the Silverlight object’s initParams parameter you can access it in the StartupEventArgs.InitParams dictionary that is passed into the Application Startup event:
Private Sub Application_Startup(ByVal o As Object, ByVal e As StartupEventArgs) Handles Me.Startup
Dim LoginToken As String = Nothing
If e.InitParams.ContainsKey("LoginToken") Then
LoginToken = e.InitParams("LoginToken")
End If
End Sub
And if you set a cookie, you can access it via:
Dim Cookies As New Dictionary(Of String, String)
Dim CookieEntries() As String = _
Split(Browser.HtmlPage.Document.Cookies, ";"c)
For Each Entry In CookieEntries
Dim KeyValue() As String = Split(Entry, "="c)
Cookies.Add(KeyValue(0), KeyValue(1))
Next
Dim LoginToken As String = Cookies("LoginToken")
And there we have it! Once you have your LoginToken, create a webservice that can accept it as valid login information. On the service end, use it to look up your login information (stored in a session variable or database). And purge that data immediately on use. This way no one can ever reuse that LoginToken again.
And in the end you have a secure technique used to safely allow your users to login to your Silverlight applicaton from other places. Ultimately making your application more prominant and accessible to users.
Check out the source code here for a practical demonstration of the concepts discussed above. Both client and server projects are included.
Hi,
This post opens more questions than it answers, if I may say so. You mention for instance that we should create a token, but you don’t explain anywhere how this token must be created. I think it would be very beneficial to everyone if you showed how to create a working sample of what you describe here. Or at least, post a sample application.
Cheers,
Laurent
Hi Laurent, thanks for the feedback. I tried to keep the post confined to the Silverlight end of things and server agnostic but I agree that more info about generating and retrieving tokens on the server would be useful. I’ll try to put a little sample ASP.NET solution together to supplement.
[…] and if you haven’t checked out her site Mashooo.com, do so… she’s done a great job on it! Posting login credentials to your Silverlight app Tim Greenfield discusses and demonstrates adding a secure login with credentials to your Silverlight […]
[…] drive. Even if encryped this is still vulnerable to hackers. For more info, see my other article on Posting login credentials to your Silverlight app where I go over the […]
Hi Tim,
Good article, thank You. My question is, how to use this same method to authenticate ADO.net Data Service, ie. how to send the user/pswd, or any other credential info to them?
Thanks
Gabriel
Hello, I want to say hi everyone.
test
Do you know if this also can be completed using RIA. I am trying to follow the same login pattern as this article, but after I display me silverlight page I don’t know how to get the information about the logged in user.
Nathan
Интимный магазин
I am probably on my computer and laptop an average of 8 hours a day, in my office, traveling, on WIFI on planes, hotel room, sometimes when I am driving (which is certainly not safe), having coffee at Starbucks on WIFI.
http://munged.net/mt/php/lib/1/hot-playboy-girl-nude.html hot playboy girl nude
And just when I thought I had survived all my children’s efforts to keep me humble, my grand son recently pulled up my shirt, laughed out loud, pinched my protruding belly button, and screamed, “look at Pa’s belly button. It is sooooooooo funny!!”
Hello,
Nice to be registered on programmerpayback.com. My little name is maxizhu 😉
Guy .. Excellent .. Amazing .. I’ll bookmark your web site and take the feeds alsoI’m satisfied to seek out numerous useful info right here in the put up, we want work out more strategies on this regard, thanks for sharing. . . . . .
墨香外传服务端冒险岛服务端绝对女神服务端卧龙吟问仙服务端
神将三国服务端仙境传说ro服务端天龙八部服务端传说45服务端
完美世界服务端九阴真经服务端凡人修真2服务端天之炼狱服务端
传奇广告代理(详细介绍)http://www.e7if.com/index15.htm
IDC服务器以及空间租用-(详细介绍)http://www.e7if.com/
传奇开sf一条龙开区服务官方网站http://www.e7if.com
天龙八部开私服一条龙服务-www.e7if.com
魔域私服开区一条龙服务-www.e7if.com-客服咨询QQ(扣扣)49333685
后浪科技www.e7if.com商业版本免费开放下载(只能单线程单个下载)
http://www.e7if.com/soft/index.html
thank you for this post, I am a big big fan of this internet site would like to go along updated.
天龙八部混合服下载www.44wy.cn