I came across an interesting problem on Friday (which is why I'm blogging about it on Sunday evening - I've been working to fix this problem over the weekend!), regarding pre-authenticated links for secured areas of ASP.NET websites.

A very large and reputable client of our firm has an email sent out to them daily containing business-critical development information and a link to an online reporting feature. They requested if we could possibly arrange for the link to bypass the normal login system so that when a recipient of this email clicked the link, it would automatically authenticate them and take them straight to the appropriate reporting screens.

Now, our problem was that the site we've built doesn't make use of any of the four built-in ASP.NET Authentication mechanisms - Forms, Windows, Passport or custom. It made use of an underlying "SecureAdmin" class which inherited from System.Web.UI.Page, which then had underlying code to perform the authentication for each page we wanted to be "protected", and auth data was stored in Session - not the greatest way to do things. So I couldn't make use of the AuthenticationProvider.SetAuthCookie() method which would've enabled me to create a nice easy method to auth against with an SHA1 key.

However, I did get it working. I added a "secret" field to the Users table in our database, and this secret changed for all users, every time notification emails were sent out. The link included in the email then made use of the new key and attached it to the URL so pre-auth could be achieved without exposing usernames or passwords.

I would love to post code... but because of it's nature, I can't. However, I'm sure you get the idea for now, and I'll knock together a sample this evening to put up over the next couple of days.


N.B.: I'm now looking at Forms authentication and the ASP.NET membership provider model for version 4 of this project. I'm sure I'll find lots more to blog about it along the way!