0

I have a website that uses WebMatrix user authentication (login/register pages) and I am making an app in Windows 8 release preview and would like to know if it is possible to authenticate users of my app (let users of my app sign in to my app) if they are registered members of my website? And if they are not, allow them to register through my app - but it appears that remost db connections are not possible in Metro apps - so I don't know what to do. Can somebody please help?

I've been searching for weeks but there still isn't a whole lot of official documentation out there.

Arrow
  • 2,784
  • 8
  • 38
  • 61
  • rather than trying to connect to the database via the app, couldn't you make an authentication API on your website for the app to use? – Graham Clark Jun 07 '12 at 10:15
  • Yeah, that's a great idea. I made an API to retrieve certain results from the DB from within the App. but now it's looking like I'll have to do it your way, which is ok, but I'm new to this kinda stuff, and I'm a little fearful of making an authentication API for obvious reasons. Do you have any resources that you can recommend I read? Thank you! – Arrow Jun 07 '12 at 10:18
  • 1
    Not sure about resources, maybe look into some of the new Web API stuff in MVC 4. – Graham Clark Jun 07 '12 at 10:20
  • 1
    Even a badly written authentication thingy is more secure than direct database access. Before sending, retrieve a key from the server, use that key to hash the password, then transmit the username and the hashed password, hash server side as well and compare, if everything is fine, return another created hash that's used to identify the current user during this session (only valid till a fixed time or IP changes). – Mario Jun 07 '12 at 10:22
  • Thank you Mario and Graham. I think this will be the way to go. – Arrow Jun 07 '12 at 10:29

1 Answers1

2

You should never ever allow any client or user program to access your database directly (not even read access). People WILL abuse it one way or another and they might try exploits to gain write access if their access is restricted to reading. If you'd like a prominent example, Super Meat Boy did that exactly, and they got lots of database issues and abuse over last year's christmas days (while there game was on (Steam) sale, so they got lots of additional upset players!).

I've never used WebMatrix, so I might be a bit off here, but in general you should have several possible approaches - all being better than doing direct database access:

  • Use some provided remote access (this might be some extra class or addon or whatever; IF available).
  • Write your own remote access tool. This would essentially be some special website accepting/returning text or data interpreted by your program. E.g. you could post the login credentials in a HTTP POST request and it could return ok or failed or something like that.
  • Essentially fake a web browser and access the standard URLs/scripts/systems provided by WebMatrix.
Mario
  • 35,726
  • 5
  • 62
  • 78
  • Thank you for the warning and scenarios. I think the second option would best suit. Can I ask, with your second option, I should just POST the user credentials to the website's Login page, have the login page log the user in and return an ok or failed to the Metro App? And that's it? I thought it would be more complpicated than that. Can data POSTed from an App be seen any way? – Arrow Jun 07 '12 at 10:27
  • In addition to the answer above, I think http://msdn.microsoft.com/en-us/library/windows/apps/xaml/br229572.aspx will be of help to people wanting to authenticate with things and stuffs – Arrow Jun 07 '12 at 10:46
  • 1
    The data from the POST request can be "seen" unless it's over a HTTPS connection - one of the reasons for using a unique/one-time hash (see my suggestion in the question's comments). But yes, the basics would work like that, just try to avoid posting unencrypted/unhashed data. Your website part should most likely return some kind of unique token or something similar the app may use for further requests as authentication (similar to SESSION cookies). – Mario Jun 07 '12 at 11:04
  • Excellent. Thanks a lot for your help Mario, really appreciate it. – Arrow Jun 07 '12 at 11:30