With just username and no password, can you mark this user is authenticated

[Andrew V]

I have an httpModule that tap into the authenticate request event. If a
request is coming from a sister site, in the query string there is an
encrypted string mapped to an already authenticated user. If it looks good,
I would like to auto validate the user so she doesn't have to go to the
login page. Is this possible?

If I use FormsAuthentication.RedirectFromLoginPage the user would be taken
to the default page not the original targeted page. And since the password
is hashed in the database, I can't feed the user name and the already hashed
pass word to the Membership API.

Many thanks in advance.

 

[Brock Allen]

You can handle the HttpApplication.AuthenticateRequest event (perhaps in
global.asax), check for your query string, and if all looks good then login
the user via FormsAuthentication.SetAuthCookie. You'd probabaly want to then
Response.Redirect the user back to the page they were requesting but remove
the query string.

 

[Andrew V]

Works like a charm. Thanks Brock.

 

[Dominick Baier [DevelopMentor]]

you say "encrypted" - how do you prevent replay attacks?