1 (edited by barbary 2009-05-28 19:00:02)

Topic: Login page in ASP .Net

Hello,

I'm trying to write a login page in ASP .NET and failing badly.

Can anyone point me at an example of an ASP .Net login page for chillispot?

I can only find cgi and php versions.

Thanks for any help or suggestions.

Re: Login page in ASP .Net

It should be possible to make one in ASP. I've rebuilt my own from scratch in PHP.

There are variety of get Vars that Chilli sends to the page. One of them is the ip and port chillispot is running on. Its a matter of hashing hte password and username they type and sending a aheader to givert to that address:portnumber?var1=stuff&var2=stuff.

At the top of hotspotlogin.php is a list of get vars it uses. In addition to the ones chilli sends. There's one called "res"

various values of res and what they do:
notyet - user not logged in diplay form
doLogin -process the login form, diverts the encrypted result to chilli for authentication
failled - not logged in for good reason
sucess - logged in sucessfully
logoff - diverts to chillispot with code for logout
already - already logded in

if you call your uam server with res=oneOfTheAbove its easier to figure out what its doing.

It should be realtively easy to write an asp one (Ive never done ASP).

The way the default PHP one works is to populate hidden fields of the form with all the data chilli sends as get vars. Submits the form to itself, used the hidden fields to write a http header diverting the users browser to the chillispot deamon, with the username and password as encryped vars
[pre]
header('Location: http://'.$_POST['uamip'].':'.$_POST['uamport'].'/logon?username='.$_POST['UserName'].'&password='.$pappassword);
[/pre]
is the clever bit. $_POST is form data in PHP. $pappasswrord is the form password encrypeted and hased using the UAM secret.

Hope this helps your figure out how to do in in ASP.

3 (edited by barbary 2009-06-05 19:22:37)

Re: Login page in ASP .Net

Well that does help although I'm a way off yet

Ok so I get a page rquest from chillisoft like this

http://someip/hotspotlogin.aspx?res=notyet&uamip=ip-address and a bunch of stuff

I return a webpage with a username and password feild and that same querrystring at the top

they post back the login page and (this is the important bit I'm unsure on)

a) chillisoft strips out the username and pasword and goes to the radius server

b)It comes back to the IIS server I take the uasername password put them into hidden feilds having incripted the password then return the page with res now changed in the querrystring to DoLogin.

My question now is whats the name of the feilds chillispoft is looking for.

If it's a whats the name of the input feilds and for that matter what type?

If it's b whats the name of the hidden feilds got to be?

Second thought
I have to say that even reading this now it seems you are suggesting a third method where the returned page includes a link like this http://router-ip/login?username=user&password=encryptedpassword and thats what send chillisoft off to the radius server to authenticate.  In which case do I even do anything with the res var?  Or store anything in hidden varibles?

Clearly I'm still confused

Re: Login page in ASP .Net

Hi, I'm trying to write it in Asp.Net as well. There is a piece of the code I can't understand. Could you tell me how it works?

  $hexchal = pack ("H32", $challenge);
  if ($uamsecret) {
    $newchal = pack ("H*", md5($hexchal . $uamsecret));
  } else {
    $newchal = $hexchal;
  }
  $response = md5("\0" . $password . $newchal);
  $newpwd = pack("a32", $password);
  $pappassword = implode ("", unpack("H32", ($newpwd ^ $newchal)));