Here is the situation:
- C# Windows Forms application
- ASP.NET web application
- Both authenticate with a custom user table in the same database (usename/password) and create a User object that is used throughout both applications
A user is logged into the Windows Forms application and we want to launch a URL to open a page in the ASP.NET web application in the default browser (IE, Chrome, Firefox, etc.). We want to pass the current username/password from the Windows Forms application to the ASP.NET web application in order to keep the user from having to log into the web application separately.
Based on our research, here are some options we have found (and the drawbacks):
- Pass username/password in URL as QueryStrings and create the User object in the web application
- Not secure (password visible in URL)
- Create a temporary HTML page on the client machine that includes a JavaScript OnLoad function that POSTs username/password to the target URL and create the User object in the web application
- (Could not find a way to POST data directly to a URL and display URL in default browser using C#)
- Not secure (password visible in temporary page)
- Create a “Handoff” table to store username/password with a key that gets passed to the page via QueryString and deleted from the table when the page loads and create the User object in the web application
- Small potential for key to be intercepted (hackers)
- Have a separate MongoDB that stores the User object and retrieve it in the web application
- Separate software (MongoDB) running – additional point of failure
All of this is so that the user doesn’t have to type their username/password twice to log into both applications.
Which one of the above options above would work best (most secure, least overhead/maintenance)?
OR
Is there a way to create a Forms Authentication ticket (cookie?) in the C# application that could be used by the default browser?
OR
Is there a better, secure method for handling this?
(edit)
OR
Is there a good argument for requiring the user to enter the username/password again to access the web application if they’re already authenticated from the Windows Forms application? If so, can you provide links to references? Best practices, web security standards, etc.
You could salt+MD5 the password and send it simply with the URL.
However, you should point to a script on the server first, which authenticates the user
and creates the appropriate cookies, and redirects to the desired page, now without the credentials in the URL.edited: or basically do whatever you want to preserve the users’ session
Unfortunately, as long as passwords are involved, you can’t be 100% secure. Still, hashing a salted (salting is when you concatenate the password with some other string before hashing) password might be your best bet if somebody can get a visual on the passwords.