asked on

How to Parse Login Details to MVC from ASP.NET

I have an MVC App in a subfolder of an ASP.NET App that authenticates using LDAP. The MVC login code below allows for login via url. What is the safest way to transfer this information without parsing textbox values in clear? I also need to authorise from Roles stored in AD. This would be a two step automated process. Can anyone help with this process?

My login.cshtml

@functions {

	//
	// Page class (login)
	//
	public class clogin<C, S> : clogin_base<C, S>
		where C : cConnection, new()
		where S : cAdvancedSecurity, new()
	{

		//
		// Server events
		//

	}

	// login
	public static clogin<cConnection, cAdvancedSecurity> login {
		get { return (clogin<cConnection, cAdvancedSecurity>)ew_PageData["login"]; }
		set { ew_PageData["login"] = value; }
	}

	// CurrentPage
	public static clogin<cConnection, cAdvancedSecurity> CurrentPage {
		get { return (clogin<cConnection, cAdvancedSecurity>)ew_PageData["CurrentPage"]; }
		set { ew_PageData["CurrentPage"] = value; }
	}

	// CurrentTable
	public static clogin<cConnection, cAdvancedSecurity> CurrentTable {
		get { return CurrentPage; }
		set { CurrentPage = value; }
	}
}
@{
	Layout = "_layout.cshtml";

	// Header
	ew_Header(true);

	// Create page object
	if (login == null) {
		login = new clogin<cConnection, cAdvancedSecurity>();
	}

	// Page init
	login.Page_Init();

	// Page main
	login.Page_Main();
}
<script type="text/javascript">

// Write your client script here, no need to add script tags.
</script>
<script type="text/javascript">
var flogin = new ew_Form("flogin");

// Validate function
flogin.Validate = function()
{
	var fobj = this.Form;
	if (!this.ValidateRequired)
		return true; // ignore validation
	if (!ew_HasValue(fobj.username))
		return ew_OnError(this, fobj.username, ewLanguage.Phrase("EnterUid"));
	if (!ew_HasValue(fobj.password))
		return ew_OnError(this, fobj.password, ewLanguage.Phrase("EnterPwd"));

	// Call Form Custom Validate event
	if (!this.Form_CustomValidate(fobj)) return false;
	return true;
}

// Form_CustomValidate function
flogin.Form_CustomValidate = 
 function(fobj) { // DO NOT CHANGE THIS LINE!

 	// Your custom validation code here, return false if invalid. 
 	return true;
 }

// Requires js validation
flogin.ValidateRequired = @((EW_CLIENT_VALIDATE) ? "true" : "false");
</script>
<p><span id="ewPageCaption" class="ewTitle ewLoginTitle">@Html.Raw(Language.Phrase("LoginPage"))</span></p>
@{
	login.ShowPageHeader();
}
@{
	login.ShowMessage();
}
<form name="flogin" id="flogin" class="ewForm" action="@ew_CurrentPage()" method="post" onsubmit="return ewForms[this.id].Submit();">
<table class="ewFormTable">
	<tr>
		<td><span class="aspnetmaker">@Html.Raw(Language.Phrase("Username"))</span></td>
		<td><span class="aspnetmaker"><input type="text" name="username" id="username" size="20" value="@login.Username"></span></td>
	</tr>
	<tr>
		<td><span class="aspnetmaker">@Html.Raw(Language.Phrase("Password"))</span></td>
		<td><span class="aspnetmaker"><input type="password" name="password" id="password" size="20" /></span></td>
	</tr>
	<tr>
		<td>&nbsp;</td>
		<td><span class="aspnetmaker">
		<label><input type="radio" name="type" id="type" value="a" @(Html.Raw(login.LoginType == "a" ? " checked=\"checked\"" : "")) />@Html.Raw(Language.Phrase("AutoLogin"))</label><br />
		<label><input type="radio" name="type" id="type" value="u" @(Html.Raw(login.LoginType == "u" ? " checked=\"checked\"" : "")) />@Html.Raw(Language.Phrase("SaveUserName"))</label><br />
		<label><input type="radio" name="type" id="type" value="" @(Html.Raw(login.LoginType == "" ? " checked=\"checked\"" : "")) />@Html.Raw(Language.Phrase("AlwaysAsk"))</label>
		</span></td>
	</tr>
</table>
<br />
<span class="aspnetmaker"><input type="submit" name="btnsubmit" id="btnsubmit" value="@ew_BtnCaption(Language.Phrase("Login"))" /></span>
</form>
<br />
<p class="aspnetmaker">
</p>
<script type="text/javascript">
flogin.Init();
</script>
@{
	login.ShowPageFooter();
	if (EW_DEBUG_ENABLED) {
		ew_Write(ew_DebugMsg());
		ew_Write(ew_ElapsedTime(StartTime));
	}
}
<script type="text/javascript">

// Write your startup script here
// document.write("page loaded");

</script>
@{
	login.Page_Terminate();
}

Open in new window

Julian Hansen

Is there a reason you can not use Sessions or Cookies to persist info between the two?

XGIS

ASKER

It is not my strong point to say the least..I have my AD roles being created today so at least I will have roles to work against. They are inside a "secure" domain, although any information should be encrypted in the cookie or hashed in their SQL DB State Server..not AD which I doubt I would have write permissions to. The Database application is constructed with ASP.NET Web Pages (Razor) in C# with support for .net 4 and above.

I am not sure how to get the ASP.NET Web Pages (Razor) to read and interpret a cookie etc

Julian Hansen

This Microsoft article should give you a good overview of how to set and retrieve cookies in ASP.Net

http://msdn.microsoft.com/en-us/library/ms178194.aspx

It should be as simple as

Response.Cookies["CookieName"].Value = "Value";
Response.Cookies["CookieName"].Expires = DateTime.Now.AddDays(1);

Open in new window

And

HttpCookie cookie = Request.Cookies["CookieName"];
if (cookie != null && cookie.value == "Something") then doSomething();

Open in new window

XGIS

ASKER

Hello julianH... thankyou for the feedback... My issue is specific to authentication and authorisation from ASP.NET to MVC Razor. I am OK at getting data into cookies or session but not at transferring the information to Razor. Session seems to be the safest compared to cookies because even in a domain browsers are not to be trusted with cookies and sensitive information.

I am trying to work out how the security apparatus of ASP.NET maker works to see where I can inject this information so that it accepts it. Windows authentication is out. I am sure the solution is simple but still evading me at present.

ASKER CERTIFIED SOLUTION

Julian Hansen

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

XGIS

ASKER

Hello julianH, thankyou for your time..pls note we have a number of cookies now coming out of the ASP.NET app, eg ldapauth, Asp.NET Session and one other. We have also planned one called DMPDB. This is the same name as the cookie created by the MVC app after you authenticate. From memory it contains the encrypted user and password details and is available for the session only. We could probably parse that info to authenticate, eliminating the need for a query string.

undoubtedly we will still have to use some custom code to match the AD role and UserLevelID and possibly parse it into session etc. I am sure that the integration of some logic along with the cookie may help resolve our issues.
Cheers Aaron

Julian Hansen

We could probably parse that info to authenticate, eliminating the need for a query string.

A query string is not advisable - any sensitive information should stay server side.

My approach would be to authenticate in the one system. Store the information in a file or database with a unique identifier (GUID) that is either stored in the session or a cookie.

Complex data types would be serialised to the data store (file / db) using the GUID as a key.

When the information needs to be retrieved again the GUID is used to pull the data from the data store. The data is unserialised into a memory object and you should be good to go.

XGIS

ASKER

Hello julianH.. thankyou for the advice. We will give it a go and I will get back to you with progress.

XGIS

ASKER

Hello julianH.. we now have a filtered role from AD which was somewhat painful..Now we have authentication we also have the role and will now target authorisation and subsequent MVC integration.

XGIS

ASKER

Thankyou for your time...

Julian Hansen

You are welcome - thanks for the points.