远程登录页面，如Microsoft护照 [英] Remote logon page like Microsoft passport

问题描述

我们公司有一个用户数据库，用于在各个网站上对用户进行身份验证。


但是，我们的一些客户希望自己开发一个网站，并且

使用相同的数据库验证用户。


起初我是想创建一个接受用户名&

密码的WebService，如果它有效则返回。但是*非常重要的是

我们的客户不知道这些用户的密码。因为我们的客户

可以记录数据发送到网络服务，这显然不是一个好的想法。


所以我想我们需要的是像微软护照这样的系统用户

被重定向到另一个网站登录并返回到原始网址

之后。


什么是最好的方法网址之间沟通？应该很容易实现并且安全。


史蒂文


- - -

Hi,

Our company has a database of users that we use to authenticate users on
various websites.

However, some of our customers want to develop a website on their own and
use the same database authenticate users.

At first I was thinking to create a WebService that accepts username &
password and returns if it''s valid or not. But it is *very* important that
our customers don''t know the password of these users. Because our customers
could "log" the data send to the webservice, this is obviously not a good
idea.

So I guess what we need is a system like Microsoft passport where the user
gets redirected to another website to logon and returns to the original url
afterwards.

What would be the best way to communicate between urls? It should be easy to
implement and yet secure.

Steven

- - -

推荐答案

您可以随时执行此操作：


客户端Web表单应具有使用POST方法到您页面的操作表单<你的服务器中的
有2个表单（用户和密码）和2个隐藏的输入（clientID

和PostBackURL）

你的页面接受
通过POST clientID并检查是否有正确的

clientID来使用你的函数，如果ok接受用户和pwd，并且得到true或

false，并再次重定向到PostBackURL


************************************ *


或相同，但LOGIN页面在您的服务器中，您只接受，

ClientID和PostBackURL [或只有ClientID和来自数据库你知道在哪里

在认证良好后重定向用户]


使用这个他们永远不会知道你自己客户的用户名/密码


************************************* < br $>

....我什么都错过了？

希望这个想法正是你所需要的...


-


Bruno Alexandre

（葡萄牙人在K？benhanv，Danmark）

Steven Spits <无**** @ company.com> escreveu na mensagem

新闻：e3 ************** @ TK2MSFTNGP05.phx.gbl ...

you can always do this:

Client Web Form should have the action form using POST method to your page
in your server with 2 forms (user and pwd) and 2 hidden inputs ( clientID
and PostBackURL )

your page accepts by POST the clientID and check if there''s a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL

*************************************

or have the same, but the LOGIN page is in your server and you only accept,
ClientID and PostBackURL [or only ClientID and from the DB you know where to
redirect the user after a good authentication]

using this they never know username/pwd from your own clients

*************************************

.... did I miss anything?
hope the idea is exactly what you need...

--

Bruno Alexandre
(a Portuguese in K?benhanv, Danmark)
"Steven Spits" <no****@company.com> escreveu na mensagem
news:e3**************@TK2MSFTNGP05.phx.gbl...

我们公司有一个用户数据库，用于在各个网站上对用户进行身份验证。

然而，我们的一些客户希望自己开发一个网站
使用相同的数据库对用户进行身份验证。

首先，我想创建一个接受用户名和密码的WebService，如果有效则返回。但是，我们的客户不知道这些用户的密码是非常重要的。因为我们的客户可以登录数据发送到网络服务，这显然不是一个好主意。

所以我想我们需要的是一个像微软护照这样的系统，用户
被重定向到另一个网站登录后返回原来的网址。

网址之间沟通的最佳方式是什么？它应该很容易实现并且安全。

史蒂文

- - -

Hi,

Our company has a database of users that we use to authenticate users on
various websites.

However, some of our customers want to develop a website on their own and
use the same database authenticate users.

At first I was thinking to create a WebService that accepts username &
password and returns if it''s valid or not. But it is *very* important that
our customers don''t know the password of these users. Because our
customers could "log" the data send to the webservice, this is obviously
not a good idea.

So I guess what we need is a system like Microsoft passport where the user
gets redirected to another website to logon and returns to the original
url afterwards.

What would be the best way to communicate between urls? It should be easy
to implement and yet secure.

Steven

- - -

Bruno，

Bruno,

客户端Web表单应该在您的服务器中使用POST方法将操作表单添加到您的页面
2个表单（user和pwd）和2个隐藏的输入（clientID
和PostBackURL）

你的页面通过POST接受clientID并检查是否有正确的
clientID来使用你的功能，如果确定接受用户和pwd，并得到true或
false，并再次重定向到PostBackURL


这种方式允许客户端在将输入发送给我们之前记录输入。所以不，

不是一个好主意。

或者有相同的，但LOGIN页面在你的服务器上，你只接受，ClientID和PostBackURL [或者只有ClientID和来自数据库的你知道在认证后重定向用户的地方]

使用它们他们永远不会知道来自你自己客户的用户名/密码

Client Web Form should have the action form using POST method to your page
in your server with 2 forms (user and pwd) and 2 hidden inputs ( clientID
and PostBackURL )

your page accepts by POST the clientID and check if there''s a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL
This way would allow the client to log input before sending it to us. So no,
not a good idea.
or have the same, but the LOGIN page is in your server and you only
accept, ClientID and PostBackURL [or only ClientID and from the DB you
know where to redirect the user after a good authentication]

using this they never know username/pwd from your own clients

这就是我说像微软护照时的意思。但我仍然不知道如何确保安全？


例如，我如何在PostBackURL中测试用户是否经过身份验证

使用*我们的*登录页面？使用参数

（" http：//ClientServer/WebApp/Validated.aspx？UserID = 12345"）将是b / b
不安全，除非双方都写了一些代码来检查如果查询字符串没有被篡改（例如
http://aspnet.4guysfromrolla.com/art...083105-1.aspx）。但是我希望实现

尽可能简单，所以我不确定这是怎么回事

去...


史蒂文


- - -

This is what I meant when saying "like Microsoft passport". But I''m still
not sure how to make it secure?

For example, how do I test in PostBackURL that the user was authenticated
using *our* login page? Using parameters
("http://ClientServer/WebApp/Validated.aspx?UserID=12345") would be
insecure, unless both parties write some code to check if the querystring is
not tampered with (like
http://aspnet.4guysfromrolla.com/art...083105-1.aspx). But I want
implementation to be as easy as possible so I''m not sure this is the way to
go...

Steven

- - -

史蒂夫这就是为什么我告诉你使用POST而不是GET


POST不会在URL地址中给出值... GET


Web客户端应用程序：


< form name =" myform" ID = QUOT; myForm的" method =" POST"

action =" www.yourserver.com/loginpage.aspx">

< input type =" hidden"

value =" http：//www.ClientWebServer.com/user/default.aspx" name =" PostBackURL"

/>

< input type =" hidden"值" iux876xj"名称= QUOT;客户端ID" />

< a href ="＃" onclick =" document.myform.submit（）;">请点击这里

登录< / a>

< / form>


****************************************** ******** ******************

您在服务器中的loginpage.apx


<％

受保护的子Page_Load（ByVal发送者作为对象，ByVal e As

System.EventArgs）

将sClientID作为字符串调暗= request（ClientID）

如果sClientID什么都不是那么

if validateClientID（sClientID）然后

''一切正常，让显示登录页面给

用户，但在让我们保持PostBackURL

会话（RedirectTo）=请求（PostBackURL）之前）

其他

''clientID没有EXIST重定向用户

错误

response.redirect （" http：//www.ClientWebServer.com/user/default.aspx？error = 1"，

true）

结束如果

结束如果

结束子


受保护的子btnLogin_Click（ByVal发送者作为对象，ByVal e As

System.EventArgs）

''想象这是用户单击LOGIN按钮时的事件
此页面中的


dim sUser as string = fUser.text.tostring

dim sPwd as string = fPwd.text.tostring


如果validateUser（sUser，sPwd）那么

response.redirect（session） （PostBackURL），true）

else

myErrorLabel.Text ="无效的用户名/密码！ 

结束如果

结束次级

％>

得到它了吗？...


如果你还有怀疑，给我发一封电子邮件（br*********@gmail.com），我这个工作会给你2页。


-


Bruno Alexandre

（葡萄牙人在K？benhanv，Danmark）

Steven Spits <无**** @ company.com> escreveu na mensagem

新闻：uW ************** @ TK2MSFTNGP03.phx.gbl ...

steve that''s why I told you to use POST instead of GET

POST does not give values in the URL Address... on GET

Web Client Application:

<form name="myform" id="myform" method="POST"
action="www.yourserver.com/loginpage.aspx">
<input type="hidden"
value="http://www.ClientWebServer.com/user/default.aspx" name="PostBackURL"
/>
<input type="hidden" value"iux876xj" name="CLientID" />
<a href="#" onclick="document.myform.submit();">Please click here to
login</a>
</form>

************************************************** ******************
Your loginpage.apx in you server

<%
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs)
Dim sClientID as String = request("ClientID")
if sClientID isnot nothing then
if validateClientID( sClientID ) then
'' everything is ok, let''s show the login page to the
user, but before let''s keep the PostBackURL
session("RedirectTo") = request("PostBackURL")
else
'' the clientID does not EXIST redirect the user with an
error
response.redirect("http://www.ClientWebServer.com/user/default.aspx?error=1",
true )
end if
end if
End Sub

Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As
System.EventArgs)
'' imagine this is the event when the user click the LOGIN button
in this page
dim sUser as string = fUser.text.tostring
dim sPwd as string = fPwd.text.tostring

if validateUser(sUser, sPwd) then
response.redirect( session("PostBackURL"), true)
else
myErrorLabel.Text = "Invalid Username/Password!"
end if
End Sub
%>
got it?...

if you still have doubts, send me an email (br*********@gmail.com) and I
will send you 2 pages with this working.

--

Bruno Alexandre
(a Portuguese in K?benhanv, Danmark)
"Steven Spits" <no****@company.com> escreveu na mensagem
news:uW**************@TK2MSFTNGP03.phx.gbl...

Bruno，

Bruno,

客户端Web表单应该使用POST方法将操作表单添加到服务器的
页面，其中包含2个表单（用户和密码）和2个隐藏的输入（
clientID和PostBackURL ）你的页面通过POST接受clientID并检查是否有正确的
clientID来使用你的函数，如果ok接受用户和pwd，并且得到true或
false ，并再次重定向到PostBackURL

Client Web Form should have the action form using POST method to your
page in your server with 2 forms (user and pwd) and 2 hidden inputs (
clientID and PostBackURL )

your page accepts by POST the clientID and check if there''s a correct
clientID to use your function, if ok accept user and pwd, and get true or
false, and redirect again to PostBackURL

这种方式将允许客户端在将输入发送给我们之前记录输入。所以
不，不是一个好主意。

This way would allow the client to log input before sending it to us. So
no, not a good idea.

或者有相同的，但LOGIN页面在你的服务器中，你只接受，ClientID和PostBackURL [或者只有ClientID和来自数据库的你知道在认证后重定向用户的地方]

使用它们他们永远不会知道来自你自己客户的用户名/密码

or have the same, but the LOGIN page is in your server and you only
accept, ClientID and PostBackURL [or only ClientID and from the DB you
know where to redirect the user after a good authentication]

using this they never know username/pwd from your own clients

这就是我说像微软护照时的意思。但我还是不确定如何确保安全？

例如，如何在PostBackURL中测试用户是否已通过身份验证
使用*我们的*登录页面？使用参数
（http：//ClientServer/WebApp/Validated.aspx？UserID = 12345）将是不安全的，除非双方都写了一些代码来检查查询字符串是否是
未被篡改（如
http：// aspnet。 4guysfromrolla.com/art...083105-1.aspx）。但是我希望
实现尽可能简单，所以我不确定这是怎么回事......

史蒂文
- - -

This is what I meant when saying "like Microsoft passport". But I''m still
not sure how to make it secure?

For example, how do I test in PostBackURL that the user was authenticated
using *our* login page? Using parameters
("http://ClientServer/WebApp/Validated.aspx?UserID=12345") would be
insecure, unless both parties write some code to check if the querystring
is not tampered with (like
http://aspnet.4guysfromrolla.com/art...083105-1.aspx). But I want
implementation to be as easy as possible so I''m not sure this is the way
to go...

Steven

- - -

这篇关于远程登录页面，如Microsoft护照的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！