New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

DotNetNuke Web Service Authentication Methods

When using web services with DotNetNuke, there are three primary methods to secure the web services that I use:

  • Using Http Context – When a user logs into your DotNetNuke website, their web browser is given a “authentication token” in the form of a cookie. Web service calls made using Ajax or Silverlight, use this cookie for authentication. This cookie will “time out” like a normal log in if it is not used for a period of time (usually 20 minutes).
  • Using A “Custom Token” – uses this to provide a token that wont time out.
  • Authenticating Manually – IWeb uses this method to allow you the most flexible authentication.


Using HTTP Context

This is the simplest method. You can download a simple module that demonstrates this at this link.

First, the user must be using a web browser (this includes Ajax), or a plug-in running in a web browser such as Silverlight (this does not cover Silverlight running out of browser or on Windows Phone 7).

Next, you just use a web method such as this:

public string GetUsername() 
  string strUsername = "World!";
  // Get the current user
  UserInfo objUserInfo = UserController.GetCurrentUserInfo();   
  // If the user is not -1 they are logged in           
  if (objUserInfo.UserID > -1)           
    strUsername = objUserInfo.DisplayName;    
  return strUsername;  

That's it. if they are logged in, their UserID will be greater then –1. The only problem with this method:

  • They will time-out if they have not made any calls, and their IIS authorization token has expired
  • This will not work with any non web browser (or web browser plug-in) situation


Authentication Using Custom Token

silverlightdesktopoverview_small.jpg creates a special “user authentication token” and passes it to the Silverlight application:

objUser = DotNetNuke.Entities.Users.UserController.GetCurrentUserInfo();
string strSilverlightPassword = Authendication.SetSilverlightKey(objUser, ModuleId, strIPAddress);

The application uses this password on all web service calls. The advantage of this approach, is that the password will not “time-out”. The user can keep the screen open for hours and never need log-in again. Also, their real password is not transmitted over the network.

The “SetSilverlightKey” code is a bit complex, because it contains code that prevents a hacker from trying to guess passwords (scrambles the password on each bad attempt), or locking a user out by guessing wrong (it tracks the last IP address a user has used, and only scrambles a password if it came from the same IP “block” that the user last logged on to). It also prevents a hacker from using the correct password if it comes from a different IP block.

Ripping out the “SetSilverlightKey” code for your own use is easy, as provides you with full source code.

The negative of this approach is:

  • This will not work with any non web browser (or web browser plug-in) situation


Authenticating Manually

You may have heard of IWeb. This is a long running project created by The Open Light Group (Ian Lackey and myself).

The real purpose of this module is to allow you to easily warehouse web methods for enterprise situations. It allows you to easily set security access of Web methods you create, by DotNetNuke role.

The thing that it does in relationship to this article, is that it authenticates a user from outside of DotNetNuke. This will work for things such as Windows Phone 7, and out of browser Silverlight applications.

You do not need to use IWeb if you don’t need all it’s features, you can just grab the source code from It’s available in VB and C#.

Basically, start ripping out the code starting with the code in Webservice.cs (or .vb) that looks like this:

IWebAuthendication objIWebAuthendication = new IWebAuthendication(IWebCredentials);
if (!(objIWebAuthendication.ValidAndAuthorized()))
 return "0,Not Authorized";

This article covers using IWeb with Ajax and you may also find it helpful:

The negative of this approach is:

  • You are transmitting the Users DotNetNuke username and password with each web service call. However, you can transmit using SSL, and IWeb does allow you to encrypt passwords (you use the same “encryption key” on both the client and the server).


Comment Form

Only registered users may post comments.


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Davies (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out