How to Parse Login Details to MVC from ASP.NET

I have an MVC App in a subfolder of an ASP.NET App that authenticates using LDAP.  The MVC login code below allows for login via url.  What is the safest way to transfer this information without parsing textbox values in clear?  I also need to authorise from Roles stored in AD.  This would be a two step automated process.  Can anyone help with this process?

My login.cshtml

@functions {

	//
	// Page class (login)
	//
	public class clogin<C, S> : clogin_base<C, S>
		where C : cConnection, new()
		where S : cAdvancedSecurity, new()
	{

		//
		// Server events
		//

	}

	// login
	public static clogin<cConnection, cAdvancedSecurity> login {
		get { return (clogin<cConnection, cAdvancedSecurity>)ew_PageData["login"]; }
		set { ew_PageData["login"] = value; }
	}

	// CurrentPage
	public static clogin<cConnection, cAdvancedSecurity> CurrentPage {
		get { return (clogin<cConnection, cAdvancedSecurity>)ew_PageData["CurrentPage"]; }
		set { ew_PageData["CurrentPage"] = value; }
	}

	// CurrentTable
	public static clogin<cConnection, cAdvancedSecurity> CurrentTable {
		get { return CurrentPage; }
		set { CurrentPage = value; }
	}
}
@{
	Layout = "_layout.cshtml";

	// Header
	ew_Header(true);

	// Create page object
	if (login == null) {
		login = new clogin<cConnection, cAdvancedSecurity>();
	}

	// Page init
	login.Page_Init();

	// Page main
	login.Page_Main();
}
<script type="text/javascript">

// Write your client script here, no need to add script tags.
</script>
<script type="text/javascript">
var flogin = new ew_Form("flogin");

// Validate function
flogin.Validate = function()
{
	var fobj = this.Form;
	if (!this.ValidateRequired)
		return true; // ignore validation
	if (!ew_HasValue(fobj.username))
		return ew_OnError(this, fobj.username, ewLanguage.Phrase("EnterUid"));
	if (!ew_HasValue(fobj.password))
		return ew_OnError(this, fobj.password, ewLanguage.Phrase("EnterPwd"));

	// Call Form Custom Validate event
	if (!this.Form_CustomValidate(fobj)) return false;
	return true;
}

// Form_CustomValidate function
flogin.Form_CustomValidate = 
 function(fobj) { // DO NOT CHANGE THIS LINE!

 	// Your custom validation code here, return false if invalid. 
 	return true;
 }

// Requires js validation
flogin.ValidateRequired = @((EW_CLIENT_VALIDATE) ? "true" : "false");
</script>
<p><span id="ewPageCaption" class="ewTitle ewLoginTitle">@Html.Raw(Language.Phrase("LoginPage"))</span></p>
@{
	login.ShowPageHeader();
}
@{
	login.ShowMessage();
}
<form name="flogin" id="flogin" class="ewForm" action="@ew_CurrentPage()" method="post" onsubmit="return ewForms[this.id].Submit();">
<table class="ewFormTable">
	<tr>
		<td><span class="aspnetmaker">@Html.Raw(Language.Phrase("Username"))</span></td>
		<td><span class="aspnetmaker"><input type="text" name="username" id="username" size="20" value="@login.Username"></span></td>
	</tr>
	<tr>
		<td><span class="aspnetmaker">@Html.Raw(Language.Phrase("Password"))</span></td>
		<td><span class="aspnetmaker"><input type="password" name="password" id="password" size="20" /></span></td>
	</tr>
	<tr>
		<td>&nbsp;</td>
		<td><span class="aspnetmaker">
		<label><input type="radio" name="type" id="type" value="a" @(Html.Raw(login.LoginType == "a" ? " checked=\"checked\"" : "")) />@Html.Raw(Language.Phrase("AutoLogin"))</label><br />
		<label><input type="radio" name="type" id="type" value="u" @(Html.Raw(login.LoginType == "u" ? " checked=\"checked\"" : "")) />@Html.Raw(Language.Phrase("SaveUserName"))</label><br />
		<label><input type="radio" name="type" id="type" value="" @(Html.Raw(login.LoginType == "" ? " checked=\"checked\"" : "")) />@Html.Raw(Language.Phrase("AlwaysAsk"))</label>
		</span></td>
	</tr>
</table>
<br />
<span class="aspnetmaker"><input type="submit" name="btnsubmit" id="btnsubmit" value="@ew_BtnCaption(Language.Phrase("Login"))" /></span>
</form>
<br />
<p class="aspnetmaker">
</p>
<script type="text/javascript">
flogin.Init();
</script>
@{
	login.ShowPageFooter();
	if (EW_DEBUG_ENABLED) {
		ew_Write(ew_DebugMsg());
		ew_Write(ew_ElapsedTime(StartTime));
	}
}
<script type="text/javascript">

// Write your startup script here
// document.write("page loaded");

</script>
@{
	login.Page_Terminate();
}

Open in new window

LVL 7
XGISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
Is there a reason you can not use Sessions or Cookies to persist info between the two?
0
XGISAuthor Commented:
It is not my strong point to say the least..I have my AD roles being created today so at least I will have roles to work against.  They are inside a "secure" domain, although any information should be encrypted in the cookie or hashed in  their SQL DB State Server..not AD which I doubt I would have write permissions to.   The Database application is constructed with ASP.NET Web Pages (Razor) in C# with support for .net 4 and above.

I am not sure how to get the ASP.NET Web Pages (Razor) to read and interpret a cookie etc
0
Julian HansenCommented:
This Microsoft article should give you a good overview of how to set and retrieve cookies in ASP.Net

http://msdn.microsoft.com/en-us/library/ms178194.aspx

It should be as simple as
Response.Cookies["CookieName"].Value = "Value";
Response.Cookies["CookieName"].Expires = DateTime.Now.AddDays(1);

Open in new window


And

HttpCookie cookie = Request.Cookies["CookieName"];
if (cookie != null && cookie.value == "Something") then doSomething();

Open in new window

0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

XGISAuthor Commented:
Hello julianH... thankyou for the feedback... My issue is specific to authentication and authorisation from ASP.NET to MVC Razor.  I am OK at getting data into cookies or session but not at transferring the information to Razor.   Session seems to be the safest compared to cookies because even in a domain browsers are not to be trusted with cookies and sensitive information.  

I am trying to work out how the security apparatus of ASP.NET maker works to see where I can inject this information so that it accepts it. Windows authentication is out. I am sure the solution is simple but still evading me at present.
0
Julian HansenCommented:
Ok then I misunderstood your question. I read it to mean how do you pass information from the one system to the other - hence the comment on sessions

Session seems to be the safest compared to cookies because even in a domain browsers are not to be trusted with cookies and sensitive information
A session uses cookies to maintain the session (or in some cases an id put into the page) - either way the exposure is the same.

In terms of security if your cookie holds a GUID that points to a memory object or better still a database record then it is meaningless to the person on the other side.  Security risks should be the same.

With respect to the injecting problem - can you not store the credentials captured on  the ASP.Net side and then on the Razor side check if authenticated and if not re-authenticate using the cached credentials?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
XGISAuthor Commented:
Hello julianH, thankyou for your time..pls note we have a number of cookies now coming out of the ASP.NET app, eg ldapauth, Asp.NET Session and one other.  We have also planned one called DMPDB.  This is the same name as the cookie created by the MVC app after you authenticate.  From memory it contains the encrypted user and password details and is available for the session only.  We could probably parse that info to authenticate, eliminating the need for a query string.

undoubtedly we will still have to use some custom code to match the AD role and UserLevelID and possibly parse it  into session etc. I am sure that the integration of some logic along with the cookie may help resolve our issues.
Cheers Aaron
0
Julian HansenCommented:
We could probably parse that info to authenticate, eliminating the need for a query string.
A query string is not advisable - any sensitive information should stay server side.

My approach would be to authenticate in the one system. Store the information in a file or database with a unique identifier (GUID) that is either stored in the session or a cookie.

Complex data types would be serialised to the data store (file / db) using the GUID as a key.

When the information needs to be retrieved again the GUID is used to pull the data from the data store. The data is unserialised into a memory object and you should be good to go.
0
XGISAuthor Commented:
Hello julianH.. thankyou for the advice.  We will give it a go and I will get back to you with progress.
0
XGISAuthor Commented:
Hello julianH.. we now have a filtered role from AD which was somewhat painful..Now we have authentication we also have the role and will now target authorisation and subsequent MVC integration.
0
XGISAuthor Commented:
Thankyou for your time...
0
Julian HansenCommented:
You are welcome - thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.