Developer forum

Dynamicweb supports Extranet login through AD to, but if you need to overrule the Dynamicweb login procedure, please take a look at this thread:

http://developer.dynamicweb.dk/Forum.aspx?action=ShowThread&ThreadID=16

It offers a solution that I think may match your requirements.

mop@intranote.com wrote:

Hi there,

 

We would like to offer a single sign-on from IntraNote to DW.

 

In our solution, users are automatically signed on, when they have signed on to the company AD (Active Directory). We would though also like to provide single sign-on for DW front-end.

 

In that connection, i need some input to how that could be done?

 

Thanks in advance.

 

Morten.

 

Hello again,

Is it possible to call a Dynamicweb extranet solution with an URL including login information.

We have in IntraNote the possibility of storing a DW username and a DW password, and would like to call a DW extranet solution with these information, so that the user does not need to login.

Regards

Morten 

mop@intranote.com wrote:

Hello again,

 

Is it possible to call a Dynamicweb extranet solution with an URL including login information.

 

We have in IntraNote the possibility of storing a DW username and a DW password, and would like to call a DW extranet solution with these information, so that the user does not need to login.

 

Regards

Morten 

Happens to be very simple:

/Default.aspx?ID=1&Username=xxx&Password=xxx

np wrote:

mop@intranote.com wrote:

Hello again,

 

Is it possible to call a Dynamicweb extranet solution with an URL including login information.

 

We have in IntraNote the possibility of storing a DW username and a DW password, and would like to call a DW extranet solution with these information, so that the user does not need to login.

 

Regards

Morten 

Happens to be very simple:

/Default.aspx?ID=1&Username=xxx&Password=xxx

I found it possible to use the describet syntax, but when using this one, the username and password figures in th URL. Are there any ways to get around this ? ... Encryption ??

Thanks.

Encryption is not possible as it is and would make very little sence since you still would be able to login with the encryptet username and password.

But you can hide the information from the URL and put it to the header instead using post:

np wrote:

Encryption is not possible as it is and would make very little sence since you still would be able to login with the encryptet username and password.

 

But you can hide the information from the URL and put it to the header instead using post:

Thanks, but we are trying to create a link directly to the Dynamicweb site, and it is ot possible to include the information above in such link.

 

In the described solution above, i think it would be possible to "View source" and then still see the login information. Am i right ?

 

Furthermore i do not understand your answer regarding encryption (that it makes no sense) If you had a key that could decrypt the information we sent in the link, the decrypted data would include username and password that you could validate aginst your users. It would not be possible for anyone to grab the link, and identify username and password.

 

 

Do you have any other ideas to how we can link to one of your sites without showing username and login.

Thanks in advance.

Hi Mop

What I mean is, that if I "as a hacker" get one of these URL's both will give access.

/Default.aspx?ID=12&username=np&password=something

/Default.aspx?ID=12&username=np&EncryptedPassword=!"#¤%&//&¤#¤%&

If the password is in clear text or not - it still works. Only difference is that it is not human readable.

The only way of really protecting usernames and passwords in a login situation on a website is to implement a challenge/response technology where not even the encryptet username and password will be sent.

To solve your issue I've added a little feature to Dynamicweb which makes it possible to send the password encryptet.

Make a link like this:

/Default.aspx?ID=1&Username=np&PwToken=MD5Hash

The hash is created by making a md5 of (password + "DwSecret")

This is a new feature - it is not yet released, but will be with the next update of Dynamicweb due monday.

np wrote:

Hi Mop

 

What I mean is, that if I "as a hacker" get one of these URL's both will give access.

/Default.aspx?ID=12&username=np&password=something

/Default.aspx?ID=12&username=np&EncryptedPassword=!"#¤%&//&¤#¤%&

 

If the password is in clear text or not - it still works. Only difference is that it is not human readable.

 

The only way of really protecting usernames and passwords in a login situation on a website is to implement a challenge/response technology where not even the encryptet username and password will be sent.

 

To solve your issue I've added a little feature to Dynamicweb which makes it possible to send the password encryptet.

 

Make a link like this:

/Default.aspx?ID=1&Username=np&PwToken=MD5Hash

 

The hash is created by making a md5 of (password + "DwSecret")

 

This is a new feature - it is not yet released, but will be with the next update of Dynamicweb due monday.

Thank you, that was very helpful :-)

Is it possible to use the same functionality on the back-end ?

Thanks in advance.

mop@intranote.com wrote:

Thank you, that was very helpful :-)

 

Is it possible to use the same functionality on the back-end ?

 

Thanks in advance.

Hi NP,

I have tried to used the EncryptPassword feature, but did not seem to work. Is it because our Portuguese servers are not using the latest service release? Since this has been here for a while, I do not know what version it prepared to do so!

Best Regards

//nuno

NP wrote:

mop@intranote.com wrote:

Thank you, that was very helpful :-)

 

Is it possible to use the same functionality on the back-end ?

 

Thanks in advance.

Not possible in the administration.

Hello again,

When creating this link with an MD5 Encryption included, would it then be okay if we URLencode the link ?

How do you require the MD5 hash ? hex, base64 og urlencoded ?

mop@intranote.com wrote:

 

How do you require the MD5 hash ? hex, base64 og urlencoded ?

We have solved the problem... the MD5 is in hex.

I can't seem to get encrypted version to work (perhaps im doing it wrong?):

the solution is running DW8.3.1.1

/Default.aspx?ID=2&username=FinnFrost&password=mypsd

Works, when password is not encrypted.

I can't seem to get the below to work:

/Default.aspx?ID=2&username=FinnFrost&EncryptedPassword=1fd406685cbdee605d0a7bebed56fdb0

Where password(encrypted) is taken/copied directly from the database.

Being able to use the the MD5 hashed version of single signon, would also do:

/Default.aspx?ID=2&username=FinnFrost&PwToken=theToken

using Razor templates, i believe it would be possible to generate/display an url for a specfic user, that would allow them to signin using an url like above?
Regarding the MD5 hashed version, wouldn't i need to know how to access the "DwSecrect"?

I can read this was asked before: "Is it possible to use the same functionality on the back-end ?" where the reply was no. But now, with Razor, its a different story, right?

Any help is much appreciated.

Hi Nicolai,

Is it still possible to login to Extranet frontend on DW9 using URL string, like: /Default.aspx?ID=XXX&Username=YYY&Password=ZZZ

Yes, that is possible.

Hi Nicolai,

The 9.3 documentation states some changes in the login handler.

• LoginHandler changes 
  (Cleanup and refac\API Refactoring)

http://doc.dynamicweb.com/releases-and-downloads/releases/release-notes/dw-9-3-release-notes

Do these changes have an effect on the possibility to login via URL with user login parameters?

Thank you in advance

Hi JJ

Nope, the change is related to checking permissions for file download and getimage permissions