Can I bypass a sites login page with a form POST? - asp.net

I am trying to integrate a product offered by a 3rd party into my web site. This 3rd party does not have the resources to make code changes for a single sign-on type of setup so I am looking for a way to provide a similar user experience through some possible shortcuts. One that I am considering is to use an HTML POST to post the login credentials directly to the form on the login page which would hopefully bypass the page all together and direct the user directly to the home page fully authenticated. Does anyone know if this is possible, and if so how would I go about it?

i don't think it's possible. i believe that most well made authentication will have some sort of nonce in its form, which is essentially to ensure that unless you use their form to submit, the submission will be rejected.
and even if currently they don't have nonce, in the future they might have

Related

Is there some logout hook in Plone 4?

I have a Plone-4.3-based site which provides access to another site as well: Whenever someone logs in to my site, (s)he can click on special hyperlinks and proceed to that other site without the need to enter a password there (some kind of simple SSO, based on a ReST interface).
Now I have the need to logout the user from that other site whenever (s)he logs out from my own site, e.g. by sending a special request which is of course not the topic of this question (perhaps it still needs to be implemented, because session expiration used to be good enough.)
How would I accomplish this, to be precise: Where would I hook in that secondary logout code? Is there some kind of logout hook, or should I modify some logout.[c]py view? I couldn't find no event nor category mentioned in the Event types section here.
There is the Products.PlonePAS.events.UserLoggedOutEvent for such purposes.
As an example, it is explained at the Events Section of the Plone Addon Developer Guide

Confused about OpenID and ASP.NET

I don't want to add another username and ID to the world, so I really want to integrate openId into my web site. However, I am confused about it. I looked at various blogs about it, and they all point to DotNetOpenAuth. I plugged that in, but didn't get quite what I expected.
What I see is something like this (from Scott Hanselman's blog)
What I expected to see was the same sort of log on experience I have here at stackoverflow.com
I am obviously confused on what OpenID is. Can someone help clarify for me? Even better, can someone point out what I need to do to get that stackoverflow.com experience.
Thanks.
Think of Open ID as the concept of taking a providers word that I am 'Joe'. There are many different providers you can use. Facebook, Twitter, Stackexchange, Google, Yahoo, and more. The UI you have is just using the OpenID provider. If you want a better UI, check out this jquery plugin, or this one.
The UI SO uses (and the two linked above) is really just eye candy. Conceptually they build a URL that your user will be sent to. Some require the username in the URL, others do not. If you are going to roll your own solution, you will need to know what every provider needs. If you use a prebuilt one, just go with it. :)
I did a blog bost a while ago that walks you through implementing DotNetOpenAuth in an MVC site. What is important to note is the method ActionResult LogOn(string openid_identifier) takes the URL the provider needs, and redirects the user there. You will get this URL from one of those controls. If I remember correctly, it handles everything for you. All you do it tell it where to POST the form to.
Once you get a response back (the other LogOn method), you can process it. response.ClaimedIdentifier is basically the users ID. It will be different for each user. If I log in using Google, AND Facebook, it will be different for both even though I am the same person. If you want your users to be able to log in with more than one, you will need to allow them to assosiate the logins, and code accordingly.
Ok so OpenID works by communicating with trusted openID providers (e.g. google) to tell the site who you are. A write up about how google's implementation can be found here http://www.readwriteweb.com/archives/google_clarifies_openid_implementation.php
Here is what I see when I click on Scott Hanselmans comment login system. http://imagebin.org/186528 Note how the OpenID textbox adds the url? I am pretty sure that all stackoverflow is doing is teh same thing - but having a link to click rather than something less usable.

How to loggedin in LinkedIn automatically from Asp.net Application?

I have created a username and password to enter and search people in linkedin. Now, I am devloping a web application using asp.net. I need to open a popup page which is displaying the searched results in linked in as logged in.
When the popup page is displaying, I need to logged in automatically using the username and password.
So, here is my question,
How to logged in automatically when the button clicked in Asp.net application using linked in username and password?.
Thanks
The problem is twofold:
deciding which credentials to use
actually logging in
Logging in is fairly straightforward: post to LinkedIn's login URL in the manner that LinkedIn expects. Unfortunately, LinkedIn still does not have a public API, so this is going to require hackery. Go to a LinkedIn web page that allows login and analyze the page source. There will be a field names for username and password in the login form, and the login form will post to a specific URL. Duplicate the username and password with a web request to the URL of the form. You will receive a cookie as part of the response. Make sure you include that cookie in future requests to LinkedIn and you are then "logged in" for every request.
Of far more importance than the actual logging in, which is a simple programming challenge, is deciding which credentials to use. I'm guessing that you're building an application for others to use, rather than yourself. If so, you'll need to ask them to give you their LinkedIn credentials. Beware: this is something that most people simply will not do. It's a trust issue; if they give you their credentials, you now have access to their profile and can do nefarious things with it. You'll need a good disclaimer explaining how you would never do that, ever, and you'll need the people who read it to believe you. Not as easy as it sounds.
If, however, this is just for you, you're on easy street. Just use your own credentials.

Post to Facebook Page via ASP.NET

I've seen this and this but before I sink a ton of time into it, I want to know if what I'm trying to do is possible. I have a Page on FB (not a profile, but a Page for business, websites, etc) and I want to post a story to it via my site automatically. I don't want to do anything else but that. I don't want to create an app (if I don't have to), just post to a Page. Is there an easy way to do this, or is this super complicated?
Also, if I have to build an app, what's the simplest way to go about this (the other guy's question was never answered)?
Thanks!
Yes, you will need to get a page access token. Simply use the user access token for an admin of the page and call me/accounts There you will find a list of all the pages and apps admined by that user. Find the page, and in that object will be the page access token. Use that page access token and HTTP POST to me/feed with the post parameters set.
See also:
http://developers.facebook.com/docs/reference/api/page/
https://developers.facebook.com/docs/reference/api/permissions
http://developers.facebook.com/docs/authentication/
You could write a script to control a web browser. The script could log in then post the message... Use a library like WatiN to script the browser.
You are either going to have to make a Facebook Application, use franks method, or do some sniffing and figure out how the publisher works and login / post with cURL and cookies.
Also there is a application called "Blog RSS Feed Reader" if you wanted to go the RSS route.

ASP.NET, OpenID and registration confusion

I have managed to get all the authentication parts working, however i am confused about setting up registration.
By registration i mean that if the OpenID is not attached to an existing account, then a new account must be created.
Should i simply have it return to a registration page (with from fields for registration) and redirect to a different page if the user is registered?
Is there a way to set up a clean and simple registration flow without signing the user in first (formsauthentication.redirectfromloginpage) then checking if they are new on every page?
Sorry if this is worded badly, like most other things i ask it is difficult to explain!
Thanks
Ideally, no registration is required at all beyond simply an OpenID. Does your site require to know more than a user identifier to provide any functionality at all?
If your site can offer any services to users (even just informational) without asking for more than their identifier, which OpenID supplies, then don't have a registration page at all. This is by far the best for the users and will lower the barrier of entry to new users to your site. Then, when the user accesses a page that offers something that requires the user to give up more information about themselves, stick them with a registration page at that time.
If you must stick up a registration page for all new users, I suggest you do a check every time someone logs in with their OpenID. If you recognize the OpenID Claimed Identifier upon successful login, you just let them through... otherwise you create a database entry for them and redirect them to the registration form.
You can optimize the experience by using OpenID extensions such as Simple Registration or Attribute Exchange so that the user might get a pre-filled out registration form courtesy of the OpenID Provider, further streamlining the registration process.

Resources