Asp.net Memebership Authorization without password - asp.net

To authanticate users in Asp.net Membership we can call method
FormsAuthentication.Authenticate(username, password)
how can I do the same job (generate session, cookies and all other staff that Authanticate does) without users password?
I'm trying to login user over facebook connect. User's facebook id is stored within the users data. User should be signed in like a normal user.

I think you can use the SetAuthCookie method.
more info here http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.setauthcookie.aspx

Related

Login Control Authentication

I used membership API to create users and hashed the password in database. Because of the hashed password the Login control cannot authenticate as I'm now unable to set up the login control to convert the user password entered to "Hash" value before referencing the database.
I have tried exploring the Login control "Logging_in" event handler but I seem very confused on how to use it.
I will appreciate any help

Using Windows Live Id Authentication with my own login form

I want to use the Windows Live Id Authenticaiton in my Asp.Net/MVC web application, but I do not want to use the Login screen provided by Microsoft.
I want to have my custom page for login, take username and password from User and then send these credentials to the Windows Live ID, to Authenticate, and I get back the response if the user is authenticated or not.
Is this possible?
I want to have my custom page for login, take username and password from User and then send these credentials to the Windows Live ID, to Authenticate, and I get back the response if the user is authenticated or not.
You missed the point of single sign-on authentication. Using that, the user does not provide their credentials to your site, but to the SSO provider. That provider gives you a token which lets you act on behalf of the authenticated user.
The user's credentials are never received by your site.
So no, you cannot, nor should you want to, do this.

ASP.net + Login with facebook and aspnetdb authorisation

I am using the Facebook login api in my website, currently I am checking if the FB userid exist in my SQL Server database, if it does, the user is allowed to access my website else he will be directed to the Facebook registration plugin page.
The thing is I am also using aspnetdb which in my web.config authorisation, I block all users accept for users who are logged in and authenticated by the aspnetdb membership provider, hence my problem is for users who uses logs in successfully with Facebook gets block by my app's non-fb login page. How should I go about authenticating users who logs in via Facebook? Thanks.
Facebook login/registration API provides you with the FBUserid, it should be stored in your SQL server DB against the user. If a new user comes to your website and registers via FB, you should generate corresponding user in your database too with some default password (random and different for each user) You can provide the functionality that, if a user registered with FB wishes to user your application's login, you should send him the default password via email and ask him/her to change on first login.

ASP.Net and Facebook: Logging-in via ASP.Net

I want to enable Facebook authentication and the FB-Graph in my website, which already has forms authentication. Using http://multitiered.wordpress.com/2010/08/05/getting-started-with-the-facebook-c-sharp-sdk/, I was able to figure out how to login server-side.
However, the problem with this approach is that a secure cookie will not be created, since the call returns the authentication code in the querystring via a callback. This means that the user will have to login every time.
I can see two ways around this:
Store the access token in a secure cookie manually
Instead of the above approach, use the FB JS API to login - this stores a secure cookie with the access token automatically
I would prefer not to use the second approach, as I would like the login code to be server-side.
Which would be the better approach? Am I missing something?
I use the JavaScript method to first authenticate the user, the JS SDK then writes an encrypted cookie (called "fbs_[YourAppID]") when a connected user hits your page; using one of the many Facebook c# SDKs, this cookie can be decoded using your application secret giving you the user ID, oAuth token, expiry date etc.
Then I hook into the AuthenticateRequest event of my .NET application, check the presence of the cookie, decode if it found, and then find a user who has been assigned this facebook ID (your user table must have a extra field for storing the ID of their facebook account).
If a match is found, I write a normal forms authentication cookie for this user, then .NET will recognise them for all future requests. If no user is found, then this is a brand new user who has just connected. Use the SDK again to query the graph API using their oAuth token, get things like their name/email etc and create a new account, then issue a authentication token as normal.
By writing a normal authetication cookie, the user will stay logged into to your site for all requests, just as if they were a normal user.
One side point, when using email address, check for duplicates, and check for the facebook cookie in all requests. For example, an existing registered logged in user may have just connected.

Facebook 'secret' value, or Authenticating an app after facebook login / registration

I have an existing Spring application which I wish to also allow users to register / sign in through facebook.
The facebook sign-in is working fine, and is currently executed from the client using the Actionscript-Facebook API ( which is essentially a wrapper for the Facebook JS API).
However I'm unsure as to what is an appropriate approach for me to take in using the client-side authenticated session to authenticate against my own app server / session (ie., the Spring session).
In my own application, the user registers/authenticates with an email address & password.
My first thoughts in a facebook authenticated solution is to use the facebook email and secret values returned from the login call. These would be stored in my database when the user performs registration via facebook, (or specifically, a hash of secret) and using these to authenticate during login in the same manner as a regular login.
However, I'm unsure of what the secret value actually is, and whether it's a appropriate to use in this scenario. (The Facebook API seems unclear in what the return values of the login call actually mean)
Is this value bound to the user, or the session?
Does this value change, should the user change their password on Facebook?
Is this an appropriate value to store a hash of?
Finally, is there a more appropriate way of achieving this task?

Resources