authenticate user without logging them on

Posted by Community Admin on 03-Aug-2018 21:58

authenticate user without logging them on

All Replies

Posted by Community Admin on 16-Sep-2011 00:00

We need to authenticate a user with out logging them on.
It looks like the SecurityManager.AuthenticateUser all log on the user-that-the-method-authenticates.

What method can we use to authenticate a uid and pwd without logging that user on?

Thanks

Posted by Community Admin on 19-Sep-2011 00:00

2nd request

btw, we tried UserManager.GetPassword Method (String, String)  but our pwds are hashed so we cant use that.

Any ideas on how we can authenticate a user w o logging them in?

Posted by Community Admin on 21-Sep-2011 00:00

Hi Phil,

That's a tough one, unfortunately there is no way to have a user being authenticated but not being logged in - there's a simple logic behind that: isf you have a user who is authenticated, he will count as a backend user, so he can access the site backend. In this line of reasoning using SecurityManager.AuthenticateUser() will automatically register the cookie for your successful authentication and count the user as logged in. Can you please let us know of the exact use case scenario you are trying to implement, maybe we can come up with a workaround for this?

Greetings,
Boyan Barnev
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 21-Sep-2011 00:00

Neither of the users that are involved in this use case are backend users.

The logged in user is a student.  They are taking lessons on line.  We have a widget in the page that has the answers to the students questions in it.  The answers are hidden but become visible if the student's guide (usually a parent) enters their (the guides) uid and pwd.

So we send the uid and pwd, that the guide enters, to a webservice where we want to verify that these are valid credentials.  If the credentials are valid we display the answers.  We want the student to stayed logged on though

btw, we tried UserManager.GetPassword Method (String, String)  but our pwds are hashed so we cant use that
.

Posted by Community Admin on 22-Sep-2011 00:00

Hi Phil,

If the users do not belong to the backend users role, then they should not count towards the online backend users limitation of Sitefinity. In other words, you can use the built in functionality to authenticate your users and display the results only if the user is authenticated, since if they are not BackendUsers, they do not have permissions to view the site's backend.

Kind regards,
Boyan Barnev
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 22-Sep-2011 00:00

You wrote "In other words, you can use the built in functionality to authenticate your users and display the [ answer key widget's ] results"

What method(s) are you referring to when you say, "built in functionality"?  We have tried AuthenticateUser() and it logs the current user off - in our case, the student.

So, when neither of the users in our use case are backend users, what method(s) can we use to authenticate a user (the guide in our use case) without logging our student off?

Thanks

Posted by Community Admin on 23-Sep-2011 00:00

It's not great, but you can get the user by their username and compare the hashed password in the database with the password they enter (after you hash it by hand).

Posted by Community Admin on 23-Sep-2011 00:00

Hello Eric,

By the built in functionality I meant to configure widget permissions, so that the results can be visible only to a certain role (in other words to split the answers into a different widget, that can be dropped onto the page, and set its permissions as per the suggestion above).


Greetings,
Boyan Barnev
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 23-Sep-2011 00:00

uh, it wasn't Eric w the question it was me.  :-) 

Anyway.  I understand what you are saying about making the answers a separate widget.  Thanks.  But I can't just make the answers available to any guide.

So, I think your recommendation leaves me w the same problem:  I still have to ask the guide for their credentials and I still have to authenticate those credentials, and, so far, I haven't found anyway to authenticate the guide's credentials w o logging the student off.

So, when neither of the users in our use case are backend users, what method(s) can we use to authenticate a user (the guide in our use case) without logging our student off?

Posted by Community Admin on 23-Sep-2011 00:00

Hello Phil,

I'm sorry about the confusion with the names. Just to make sure we're on the same track here, are you trying to authenticate the guide in the same browser where the student is already logged in? If that's the case, unfortunately there's no way for this functionality to work, as the authentication cookie is persisted in the browser, so in order to authenticate the other user, and persist the cookie, it will need to replace the first user(student)'s cookie. However, this should work without problems when using two different browsers on the same machine. Looking forwards to your reply.

Kind regards,
Boyan Barnev
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 23-Sep-2011 00:00

Thanks for the quick reply.  Crystal clear - re the browser, the cookie, etc.

How about this:  we send the guide's uid and pwd to a web service (that we write).  In the web service we authenticate the credentials and send return Authenticated or NotAuthenticated.  The idea beiing that we are isolating the AuthenticateUser() method in another thread.

Is this approach improved if the web service is on another machine - a machine other than our web server?

Posted by Community Admin on 23-Sep-2011 00:00

This is what I was thinking. You'd have to fill in the guts of the HashedPassword function. I could send you the function, I just wasn't sure it'd be proper to post it. This code would authenticate the user without logging them in (or logging anyone out).

protected void btnAuthenticate_Click(object sender, EventArgs e)
    if (AuthenticateUser(txtUsername.Text, txtPassword.Text))
        ShowAnswers();
 
private bool AuthenticateUser(string username, string password)
    User user = UserManager.GetManager().GetUser(username);
    return user != null && user.Password == HashedPassword(password, user.Salt));
 
private string HashedPassword(string plaintext, string salt)
    ...

Posted by Community Admin on 23-Sep-2011 00:00

Hello Phil and Eric,

I'm not quite sure whether this approach will work out for you guys, I mean it solves the multi threading not being allowed problem, however a call to Login() will be made eventually, when using AuthenticateUser(). However, if I got Phil's use case scenario properly, it looks like he just needs to perform a check whether the entered credentials are valid, in order to display the results (in other words, you don't actually need to have the user as a logged in user, you want to perform a username/password check). Please do not hesitate to correct me if I'm wrong in assuming the previous statement, but if that's the desired functionality, wouldn't ValidateUser() serve you better?

Kind regards,
Boyan Barnev
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 23-Sep-2011 00:00

There it is.  Thanks.

We were in the SecurityManager namespace using SecurityManager.AuthenticateUser(-overloads-)

and didn't see  UserManager.ValidateUser(userName, userPwd)

Thanks again.

This thread is closed