We have a client application running on each users computer that has a link to the associated web application.
A recent requirement is that if the user is logged in on开发者_StackOverflow中文版 the client application that they should be able to click the link and be automatically logged in on the web application.
Our web application is encrypted using SSL. Our client application is in Silverlight.
Is there a way to achieve this securely?
Our first naive thought was simply to embed the username and password in the url for the site, but obviously this is not secure because it is visible in the history and via the back button.
Attempt two involved simply converting the password segment into Base64 as to obscure it from view and trust in the SSL to encrypt it.
I'm still not happy. Ideally we would want to use some sort of time based token that expires within minutes of being used.
Where do we start?
If this becomes overly complicated (special hardware) or requires the user to do anything other than click the link-button then the feature will be dropped.
Perhaps you could make an authenticated web service call from the client application to the web application to obtain a token when the user clicks on the link, and then append the token to the querystring? Then the user is logged into the web application using the token, which is then immediately invalidated (valid for one-time use only).
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论