0

I need to redirect a user from one web page to a page hosted on a different server secured using basic authentication over SSL. From the first page, I want to pass the username/password in the header using basic authentication. The intent is to try and provide a single sign on type feel. I don't want the user being prompted for credentials when they hit the second page, thus passing the credentials in the header. Javascript, Python or PHP are OK, I do not want to use "Microsoft technologies". T.his is my actual (not working) code:

<script>
    function redirectToContent(){
        HttpContext httpContext = HttpContext.Current;  
        string authHeader = this.httpContext.Request.Headers["Authorization"];
        string encodedUsernamePassword = authHeader.Substring("Basic ".Length).Trim();        
        Encoding encoding = Encoding.GetEncoding("UTF-8");
        string usernamePassword = encoding.GetString(Convert.FromBase64String(encodedUsernamePassword));
        int seperatorIndex = usernamePassword.IndexOf(':');
        var username = usernamePassword.Substring(0, seperatorIndex);
        var password = usernamePassword.Substring(seperatorIndex + 1);          

        document.getElementById("username").innerHTML = username;               
        document.getElementById("password").innerHTML = password;               
        window.location.replace=window.location.protocol + "//" + username + ":" + password + "@" +'www.librojanasincantu.eu/page115.html';
    }
</script>
Massimo Manca
  • 385
  • 1
  • 2
  • 15
  • If you don't have to implement this yourself, I'd use something like GitHub or Auth0 as an identity provider. Then, it's just a matter of getting comfortable with JWTs, refresh tokens, and cookies. This might help get your wheels turning: https://jwt.io/introduction – lmonninger Sep 03 '21 at 23:10
  • I have to implement by myself, I already have the redirection code working but it does not pass username and password, I supposed (wrongly) it did automatically. So I think my problem is how to read the base64 encoded user and password – Massimo Manca Sep 04 '21 at 00:09
  • Passing a username and password around like that isn't a good idea. It's more secure to pass a JWT or another similar token around. You'll need to use Cookies. Check this out: https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf – lmonninger Sep 04 '21 at 00:23
  • The most secure way to do it would likely be to redirect with the JWT in the URL. I believe this is what Auth0 does out of the box, for example. It won't look as pretty, but you can write logic to remove the JWT from the path immediately after the redirect. – lmonninger Sep 04 '21 at 00:29
  • Guys, at the moment I will be happy just to redirect basic authentication from one page to the other, not more. The point is how read user and password sent on the https header that in my mind I did not expected to do. Seems that my code is not working, I am not a JavaScript or PHP genius, the code I wrote runs on server side but retrieves empy username and password, that is the point. Also you may see I am just debugging "printing" their values in html. – Massimo Manca Sep 04 '21 at 00:38

0 Answers0