Share via


Hard Sign-In: Step By Step

Hard Sign-In: Step By Step

There is more than one way to implement Microsoft® .NET Passport on your site. The method that is right for your site depends on the user experience you wish to present. Hard sign-in is a technique that requires a user to be signed in to view any page content. If users visit the page and are not signed in, they will be redirected to the Login server. After they have been authenticated, the Login server will redirect them back to your page which, because they are now authenticated, will be displayed.

Implementing Hard Sign-In

The following are the basic coding steps used to implement hard sign-in:

  1. Create an instance of the PassportIdentity server-side object on the page. This is usually done using the ASP.NET Server object, as shown in the following example.

    PassportIdentity oMgr;
    

oMgr = (PassportIdentity)User.Identity;

  1. If the user has just returned from the .NET Passport server, the query string will contain authentication-related data that you must dispose of to help promote security. To determine if the user is coming from the Login server, check the GetFromNetworkServer property of the PassportIdentity object. This property will be True if the user was redirected to the current page from the .NET Passport server. To clear the query string, redirect the user to the URL of the current page. The page will be reloaded, without the query string.

  2. Call the GetIsAuthenticated method of PassportIdentity. When called using no arguments, this method will return True if the user has a valid, unexpired .NET Passport Ticket cookie. If the iTimeWindow parameter is provided and True is supplied as the fForceLogin parameter, then the method will only return True if the user has manually signed in within the specified time window.

  3. If the user is not authenticated (that is, GetIsAuthenticated returns False), redirect the user to the .NET Passport Login server using the LoginUser method of the PassportIdentity object. After the user is authenticated, the Login server redirects the user to the address specified by the strReturnURL parameter in the LoginUser call. It is common practice for a script to supply its own address as the strReturnURL parameter so that after users sign in, they are redirected back to the page they were trying to view before being directed to the Login server.

  4. You must verify that the user has given your site consent to use his or her .NET Passport profile information. Users' .NET Passport Unique IDs (PUIDs) and consent status for your site should be stored by your site in a database. After the user has been authenticated, you should check the database to retrieve the user's consent status. If consent has not been given, your code should direct the user to a page you supply that asks the user for consent and, if granted, stores the information in the database. (Typically, the consent page will return the user to the calling page after the database entry has been made.) The actual implementation of the database query and the consent page are not included in the following example. For more information, see Adding a Personal Consent Page.

  5. Display the .NET Passport link on the page by calling the LogoTag2 method of the PassportIdentity object. Because of the structure of a page that implements hard sign-in, the user must be signed in to reach the LogoTag2 method call, so the .NET Passport link will always display Sign Out.

    The two overloads of the LogoTag2 method accept a strReturnURL parameter that indicates to which address the user should be redirected by the Login server. When the user is signed in (that is, Sign Out is displayed), the strReturnURL parameter should be your site's sign-out script. For more information about creating a sign-out script, see Implementing Sign-Out and Deleting Cookies.

Example Code for Hard Sign-In

The following is an example of an ASP.NET page that uses hard sign-in.

<%@ Language=C# %>
<%
PassportIdentity oMgr;
oMgr = (PassportIdentity)Context.User.Identity;


string thisURL, logoutURL;

// The URL of this page.
thisURL = "https://" + Request.ServerVariables.Get("SERVER_NAME") + 
   Request.ServerVariables.Get("SCRIPT_NAME");

// The URL of the sign-out page
logoutURL = "https://" + Request.ServerVariables.Get("SERVER_NAME") + 
   "/logoutuser.htm";


if (oMgr.GetFromNetworkServer) {
   Response.Redirect(thisURL); // Clears query string if ticket has
                              // just arrived.
}

if (!oMgr.GetIsAuthenticated(3600,false,false)) { // Ticket must be less than one
                                   // hour old (3600 seconds) or it 
                                   // will be considered stale.
                                   // This parameter is optional.

   // Either get new ticket or refresh existing stale one.
   // Either case should do the same thing:
   //   redirect to the Login server.
   oMgr.LoginUser(thisURL,3600,false,null,-1,null,-1,false,null);

}

// Determine user's PUID.
string nickname, memberidhigh, memberidlow;
memberidhigh = oMgr.GetProfileObject("MemberIDHigh").ToString();
memberidlow = oMgr.GetProfileObject("MemberIDLow").ToString();

// Check for this user's record in your consent 
// database.  ConsentInDatabase method is created
// by participating sites and determines a user's 
// consent status on the site.
if (!ConsentIsInDatabase(memberidhigh,memberidlow)) {

      if (oMgr.TimeSinceSignIn < 10) {
         //The user clicked Sign In to enter your site,
         // providing implicit consent, so no consent page
         // is necessary.
         AddPUIDToConsentDatabase(memberidhigh,memberidlow);

      } else {

         // If user has not given consent, show consent page.

         Response.Redirect("https://" + Request.ServerVariables.Get("SERVER_NAME") +
         "gather_consent.asp?returnTo=" + thisURL);

         // Gather_consent.asp will present the consent UI.
         // If consent is given, a database entry
         // will be made and redirect back to this 
         // page using the returnTo parameter 

      }

   }



// This link always displays Sign Out here;
// if user needed to sign in, or hadn't given consent he
// or she would be redirected away before seeing this.

Response.Write(oMgr.LogoTag2(logoutURL,3600,false,null,-1,false,null,-1,false));
Response.Write("<HR>");



// Display all the content that is protected by
// .NET Passport authentication.
Response.Write("Welcome.  Begin your page's content here.");
%>

See Also

Passport PassportIdentity Object | Soft Sign-In: Step By Step | PassportIdentity.IsAuthenticated | PassportIdentity.LoginUser | PassportIdentity.LogoTag2 | PassportIdentity.AuthUrl2