从桌面应用程序中打开网页，并以用户名和密码作为参数 [英] open webpage from within a desktop application with arguments as username and password

问题描述

我开发了一个asp.net Web应用程序，用户可以通过提供用户名密码来访问和登录.现在，我必须开发一个Windows窗体应用程序，其中用户还可以使用与我的Web应用程序相同的凭据登录.通过单击应用程序中的按钮，我希望它打开浏览器并将用户导航到Web应用程序，然后使用相同的凭据自动登录到我的Web应用程序.但是我的问题是如何将凭据传递到Web应用程序?

我正在使用Process.Start(" http://localhost:8080/myAppLogin.aspx ")以打开浏览器并加载我的登录页面.我可以将凭据以加密格式传递给查询字符串，但这听起来不像是一种安全的方法.我想使用一些更安全的方法将凭据传递到我的网页.

有什么建议吗?

此问题的编辑错误，并且丢失了一些有意义的信息.我已重新编辑下面的问题

修改

我开发了一个asp.net Web应用程序，用户可以通过提供用户名密码来访问和登录.现在我必须开发一个Windows Form应用程序.Win Form应用程序在文件中包含用户的Web App凭据.Win Form App中有一个按钮，我希望用户通过单击此按钮来登录到我的Web应用程序，例如单击Win Form应用程序中的按钮，我希望它打开浏览器并将用户导航到Web应用程序，然后自动登录到我的Web应用程序.但是我的问题是如何将凭据传递到Web应用程序?

我正在使用 Process.Start("http://localhost:8080/myAppLogin.aspx")打开浏览器并加载我的登录页面.我可以将凭据以加密格式传递给查询字符串，但这听起来不像是一种安全的方法.我想使用一些更安全的方法将凭据传递到我的网页.

有什么建议吗?

注意:我的Win Form应用程序无法访问我的Web App数据库.

解决方案

解决方案1:假设您要自己滚动

好的，所以我在这里假设WinForms应用程序和ASP.NET应用程序都可以访问同一数据库，正如您提到的，您可以从任一数据库登录.

在这种情况下，请使用以下字段创建一个表AuthTokens:

AuthToken用户名

创建WinForms和ASP.NET应用程序都已知的预共享密钥.

在Winforms应用程序中，像往常一样对用户进行身份验证.验证成功后:

1. 使用共享密钥==> userEncrypted加密用户名
2. 创建userEncrypted ==> authToken
的MD5哈希

将记录添加到AuthTokens表中

将INSERT插入AuthToken(AuthToken，用户名)VALUES(authToken，userEncrypted)

然后调用POST" http://localhost:8080/autoLogin ，并将authToken作为标头的一部分，或者正文(您的选择)，然后使用 PostRedirectGet模式将请求发送到您的WebForms应用程序.

然后在WebForms应用程序中:

1. 从POST检索authToken
2. 在AuthTokens表中找到authToken
3. 使用共享密钥==> unencryptedUserName
从表中解密UserName字段.
4. 使用unencryptedUserName登录用户
5. 成功/失败后，请重定向到您选择的GET页面.考虑所有条件-找不到令牌，解密用户的MD5与authToken等不匹配

注意:

• 执行POST意味着没有查询字符串，并且传递容易可见"的内容.嗅探您流量的人仍然可以看到
• 您永远不会存储任何未加密的内容-永远
• 您绝不会通过可逆的导线发送任何东西-永远
• 您只能发送MD5哈希，因为这是不可逆的
• 您仍然需要一个共享密钥(PSK)，这很麻烦.如果安全的话，您可以将其存储在数据库中

无论您做什么，都要确保在执行事情时要小心，因为很容易出错.

扩展名:

• 您可以查看可以避免使用PSK的公钥/私钥加密
• 您的通信应该是HTTPS，而不是HTTP
• 您可以聪明地使用auth令牌的到期时间-一次性使用，到期时间等.

解决方案2-使用 OAuth 正是针对您所描述的场景而设计的.

解决方案2.1-实施自己的身份验证服务

例如 https://github.com/IdentityServer/IdentityServer3 ，但还有其他内容./p>

解决方案3-查找可以为您执行单点登录和用户管理的SaaS解决方案

在这里，Google将成为您的朋友，因为在不违反SO政策的情况下，我无法推荐任何人.

I have a developed an asp.net web application which a user can access and login to by providing a username password. Now I have to develop a Windows Form Application in which the user can also login to using the same credentials as my web application. By clicking a button in the application, I want it to open the browser and navigate the user to the web application and automatically login to my web application with same credentials. But my problem is how do I pass the credentials to my web app?

I am using Process.Start("http://localhost:8080/myAppLogin.aspx") to open up the browser and load my login page. I can pass the credentials in query string with encrypted format but that doesn't sound like a safe method of doing it. I want to pass the credentials to my webpage with some more secure method.

Any suggestions?

This question was incorrectly edited and lost some meaningful information in it. I have re edit the question below

Edit

I have a developed an asp.net web application which a user can access and login to by providing a username password. Now I have to develop a Windows Form Application.The Win Form application contains the user's Web App Credentials in a File.There's a button in my Win Form App and I want the user to login into my web app by click onto this button e.g By clicking a button in the Win Form application, I want it to open the browser and navigate the user to the web application and automatically login to my web application. But my problem is how do I pass the credentials to my web app?

I am using Process.Start("http://localhost:8080/myAppLogin.aspx") to open up the browser and load my login page. I can pass the credentials in query string with encrypted format but that doesn't sound like a safe method of doing it. I want to pass the credentials to my webpage with some more secure method.

Any suggestions?

Note: My Win Form Application can't access my Web App Database.

解决方案

Solution 1: Assuming you want to roll your own

OK, so I am assuming here that both WinForms application and ASP.NET application have access to the same DB as you mention that you can log in from either.

So that being the case create yourself a table AuthTokens with the following fields:

AuthToken UserName

Create a pre-shared key that is known to both the WinForms and ASP.NET application.

In the Winforms app authenticate the user as usual. Upon successful authentication:

1. Encrypt the username with the shared key ==> userEncrypted
2. Create an MD5 hash of userEncrypted ==> authToken

Add record to AuthTokens table:

INSERT INTO AuthTokens (AuthToken, UserName) VALUES (authToken, userEncrypted)

Then call POST "http://localhost:8080/autoLogin with the authToken as part of the headers or body (your choice) and use the PostRedirectGet pattern to send the request to your WebForms application.

In the WebForms application you then:

1. Retrieve the authToken from the POST
2. Find the authToken in the AuthTokens table
3. Decrypt the UserName field from the table using the shared key ==> unencryptedUserName
4. Use the unencryptedUserName to log the user in
5. Upon success/failure do a redirect to the GET page of your choice. Take into account ALL conditions - token not found, MD5 of decrypted user does not match authToken etc. etc

Notes:

• Doing a POST means no query strings and passing stuff "easily visible". It will still be visible to someone sniffing your traffic
• At no point do you ever store anything unencrypted - EVER
• At no point do you ever send anything over the wire that is REVERSIBLE - EVER
• You only send an MD5 hash as this is not reversible
• You still need a shared secret key (PSK) which is a pain. You could store this in the DB if that was secure

Whatever you do make sure you are careful as you implement things as it is easy to get this wrong.

Extensions:

• You could look at public/private key encryption which would avoid the PSK
• Your communication should be HTTPS and not HTTP
• You could get clever with the expiry of the auth tokens - One time use, time expiry etc. etc.

Solution 2 - Use OAuth it was designed for exactly the scenario you describing.

Solution 2.1 - Implement your own authentication service

For example https://github.com/IdentityServer/IdentityServer3, but there are others.

Solution 3 - Find a SaaS solution that will do single sign on and user management for you

Google will be your friend here as I cannot recommend any without violating SO policies.

这篇关于从桌面应用程序中打开网页，并以用户名和密码作为参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！