Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNewbie questionNewbie question
Previous
 
Next
New Post
5/14/2014 8:42 PM
 

Hi,

we have a dnn site with some extra database tables on the database associated with the site. This resides on Windows Azure.

would also like to add facebook sign in etc in the future but that's another story.

im looking to build an iOS app that would talk to those extra tables & was wondering if I could use dnn's authentication mechanism on the iOS app.

basically I want users to be able to log into the dnn site to add their content or do the same from our new iOS app. Same goes for registering. An iOS user could sign up in the app but that also gives them the ability to log into the dnn site using the credentials they created on the app.

thanks in advance for any assistance.

 
New Post
5/15/2014 4:55 AM
 
with a design such as that it assumes you will be passing the username/password from the ios app to the dnn website - in general this is a bad design as if the request is http then those details are passed in cleartext. If you were to do such a thing I recommend you only allow https. Beyond that suggestion, theres a few approaches - you can either send the username/password with each request and use that to create the user who actually does the action, or else you can send it once and use an API method such as UserController.UserLogin to log the user in and set the cookie - this will then be sent on all future requests and allow standard service framework security to apply.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/7/2014 4:44 PM
 
Tango, we are doing a project (iPad app) that have identical requirements as what you are describing as far as authentication is concerned. DNN now provides Digest authentication out of the box, which is a lot safer than Basic authentication. Refer to this blog post by Peter Donker http://www.dnnsoftware.com/community-.... Here's an excerpt from that
----------------------------------------------------------
* Intermezzo: Digest authentication
For the security buffs out there: DotNetNuke now includes its own digest authentication implementation. This is pretty cool. It means we finally have something safer than basic authentication that we can use for these services. In a nutshell the difference comes down to this. Basic authentication sends your login details over to the server in clear text. That is: your username and your password. That is an obvious security risk. The fact is that most sites run this way. Webforms and otherwise. The only way to hide the login details is to go https, but that is a bridge too far for many. Any time you enter your password on a page which is plain old http, you know it is going over the wire. And not as asterisks! So apart from https are there any alternatives? Yes, digest for instance. This authentication mechanism is based on you signing your username and password together with some unique info from the server which the server then verifies. The great thing is that only the signature makes it across. Not the password itself. And of course the signature is different for every time the conversation takes place. Want to know more:

https://en.wikipedia.org/wiki/Digest_...

The great thing about this is that you could now code an app (i.e. like on an iPhone) that stores your password in the device and authenticates you on your DNN site without passing this over the air. That is essential IMO to future mobile development for DNN as mobile device traffic is particularly vulnerable to snooping.
---------------------------------------------------------
But Digest authentication is still vulnerable to certain attacks, such as Man-in-the-middle attacks, so it's not guaranteed to be secure. I'm assuming that's why Cathal is recommending Https only. But it depends on your security requirements. Maybe Digest is secure enough.

Cathal, do you mind elaborating a bit more on these 2 options you mentioned?

"theres a few approaches - you can either send the username/password with each request and use that to create the user who actually does the action, or else you can send it once and use an API method such as UserController.UserLogin to log the user in and set the cookie - this will then be sent on all future requests and allow standard service framework security to apply."

Thanks.
Han
 
New Post
7/7/2014 6:49 PM
 

Digest authentication does have weaknesses (primarily the age of MD5 meaning it's crackable), but the main issue you're likely to have is that it requires the ability to retrieve a user's password so it can be added to other factors to create a "hash" to compare with the hash passed in the request. Since DNN 7.1.0, user's passwords are stored as SHA1 hashed passwords, so can neither be retrieved (hashing is a 1 way operation) or used to compare to digest authentication hashes as they are MD5

As such, unless you can control the password format for your site e.g. if it's an intranet, digest is not a good option.

Common options where digest is not an option are the ones I mentioned i.e. passing username/password within the HttpPost and then using UserController.ValidateUser to check if they are valid (this technique needs SSL as otherwise anyone intercepting the request can read the username and password details) - this can be done with each request or done once (after which a reusable token is sent).


Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/8/2014 10:01 AM
 

Cathal, I'm glad I asked. I was still under the impression that DNN still supported Digest authentication. I also found this https://dnntracker.atlassian.net/browse/DNN-3330, which is what you were saying about DNN since 7.1.0 no longer supports Digest. Looks like SSL is the way to go for us in our scenario. Thanks.

Han

 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNewbie questionNewbie question


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out