Pass username/password from Windows Forms application to an ASP.NET web application

Question

Here is the situation:

• C# Windows Forms application
• ASP.NET web application
• Both authenticate with a custom user table in the same database (usename/password) and create a User object that is used throughout both applications

A user is logged into the Windows Forms application and we want to launch a URL to open a page in the ASP.NET web application in the default browser (IE, Chrome, Firefox, etc.). We want to pass the current username/password from the Windows Forms application to the ASP.NET web application in order to keep the user from having to log into the web application separately.

Based on our research, here are some options we have found (and the drawbacks):

• Pass username/password in URL as QueryStrings and create the User object in the web application
  • Not secure (password visible in URL)
• Create a temporary HTML page on the client machine that includes a JavaScript OnLoad function that POSTs username/password to the target URL and create the User object in the web application
  • (Could not find a way to POST data directly to a URL and display URL in default browser using C#)
  • Not secure (password visible in temporary page)
• Create a "Handoff" table to store username/password with a key that gets passed to the page via QueryString and deleted from the table when the page loads and create the User object in the web application
  • Small potential for key to be intercepted (hackers)
• Have a separate MongoDB that stores the User object and retrieve it in the web application
  • Separate software (MongoDB) running - additional point of failure

All of this is so that the user doesn't have to type their username/password twice to log into both applications.

Which one of the above options above would work best (most secure, least overhead/maintenance)?

OR

Is there a way to create a Forms Authentication ticket (cookie?) in the C# application that could be used by the default browser?

OR

Is there a better, secure method for handling this?

(edit)

OR

Is there a good argument for requiring the user to enter the username/password again to access the web application if they're already authenticated from the Windows Forms application? If so, can you provide links to references? Best practices, web security standards, etc.

Answer 1

In additional to what Máté Gelei has contributed, you could also include a timestamp in the Url and check to make sure the timestamp falls within a few seconds of current time. This is a little added protection and ensures the login attempt becomes invalid very quickly. Of course, you would want to somehow hide the purpose of this to make it a bit more secure.

This does not make it 100% secure, but it does add one more level of protection.

Answer 2

You could salt+MD5 the password and send it simply with the URL.

However, you should point to a script on the server first, which authenticates the user and creates the appropriate cookies, and redirects to the desired page, now without the credentials in the URL.

edited: or basically do whatever you want to preserve the users' session

Unfortunately, as long as passwords are involved, you can't be 100% secure. Still, hashing a salted (salting is when you concatenate the password with some other string before hashing) password might be your best bet if somebody can get a visual on the passwords.

1. You generate the password hash, with salt.
2. You send it to be processed (I usually just put it into the URL of a separate script, but it's a matter of preference.)
3. You generate a hash with the same salt on the server and check it against the submitted one.
4. Authenticate the user and redirect to the original location.