Learn More





DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

DotNetNuke Web Service Authentication Methods

When using web services with DotNetNuke, there are three primary methods to secure the web services that I use:

  • Using Http Context – When a user logs into your DotNetNuke website, their web browser is given a “authentication token” in the form of a cookie. Web service calls made using Ajax or Silverlight, use this cookie for authentication. This cookie will “time out” like a normal log in if it is not used for a period of time (usually 20 minutes).
  • Using A “Custom Token” – uses this to provide a token that wont time out.
  • Authenticating Manually – IWeb uses this method to allow you the most flexible authentication.


Using HTTP Context

This is the simplest method. You can download a simple module that demonstrates this at this link.

First, the user must be using a web browser (this includes Ajax), or a plug-in running in a web browser such as Silverlight (this does not cover Silverlight running out of browser or on Windows Phone 7).

Next, you just use a web method such as this:

public string GetUsername() 
  string strUsername = "World!";
  // Get the current user
  UserInfo objUserInfo = UserController.GetCurrentUserInfo();   
  // If the user is not -1 they are logged in           
  if (objUserInfo.UserID > -1)           
    strUsername = objUserInfo.DisplayName;    
  return strUsername;  

That's it. if they are logged in, their UserID will be greater then –1. The only problem with this method:

  • They will time-out if they have not made any calls, and their IIS authorization token has expired
  • This will not work with any non web browser (or web browser plug-in) situation


Authentication Using Custom Token

silverlightdesktopoverview_small.jpg creates a special “user authentication token” and passes it to the Silverlight application:

objUser = DotNetNuke.Entities.Users.UserController.GetCurrentUserInfo();
string strSilverlightPassword = Authendication.SetSilverlightKey(objUser, ModuleId, strIPAddress);

The application uses this password on all web service calls. The advantage of this approach, is that the password will not “time-out”. The user can keep the screen open for hours and never need log-in again. Also, their real password is not transmitted over the network.

The “SetSilverlightKey” code is a bit complex, because it contains code that prevents a hacker from trying to guess passwords (scrambles the password on each bad attempt), or locking a user out by guessing wrong (it tracks the last IP address a user has used, and only scrambles a password if it came from the same IP “block” that the user last logged on to). It also prevents a hacker from using the correct password if it comes from a different IP block.

Ripping out the “SetSilverlightKey” code for your own use is easy, as provides you with full source code.

The negative of this approach is:

  • This will not work with any non web browser (or web browser plug-in) situation


Authenticating Manually

You may have heard of IWeb. This is a long running project created by The Open Light Group (Ian Lackey and myself).

The real purpose of this module is to allow you to easily warehouse web methods for enterprise situations. It allows you to easily set security access of Web methods you create, by DotNetNuke role.

The thing that it does in relationship to this article, is that it authenticates a user from outside of DotNetNuke. This will work for things such as Windows Phone 7, and out of browser Silverlight applications.

You do not need to use IWeb if you don’t need all it’s features, you can just grab the source code from It’s available in VB and C#.

Basically, start ripping out the code starting with the code in Webservice.cs (or .vb) that looks like this:

IWebAuthendication objIWebAuthendication = new IWebAuthendication(IWebCredentials);
if (!(objIWebAuthendication.ValidAndAuthorized()))
 return "0,Not Authorized";

This article covers using IWeb with Ajax and you may also find it helpful:

The negative of this approach is:

  • You are transmitting the Users DotNetNuke username and password with each web service call. However, you can transmit using SSL, and IWeb does allow you to encrypt passwords (you use the same “encryption key” on both the client and the server).


Comment Form

Only registered users may post comments.


2sic Daniel Mettler (125)
Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (22)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (203)
Chris Paterra (55)
Clinton Patterson (28)
Cuong Dang (21)
Daniel Bartholomew (2)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (6)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (270)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (52)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (37)
Will Strohl (163)
William Severance (5)
Try Evoq
For Free
Start Free Trial
a Demo
See Evoq Live
Need More Information?