Login from a desktop application to a web application



  • I have a desktop application and a web application. The user is loged in on the desktop application. With a click on a button or something the browser should open and the user should be logged in.

    Now I'm a little confused how to implement this in a safe way. My first thought would be to generate a nonce on the server, pass this to the application which in turn then generates a URL for the browser. (The whole communication is over HTTPS). But since the nonce would be in the URL couldn't a MITM just grab it and then login as this user? I guess the browser would show a certificate problem in case of an MITM attack but some of the users aren't very savvy so I assumed that they just would dismiss any certificate error.

    This is a problem because some of this users are sort of an administrator (the create users) so it would be very bad if an attacker can login.

    Is it possible to automatically login a user from a desktop application to a web application in a secure way?



  • I had this problematic a few weeks ago. I simply resolved it by making a webservice accessible via Https.

    The user login from a local client application via a login/password form which is sent by https. The server get the data and send a Token to the client.

    The Token is stored into the application for login purpose and expires after 2 weeks. When the Token expire my client has to login again.

    My request are https based, so it takes care of the handshakes,encryption,etc.

    A large amount of WebAPIs use this method to make secure transactions.

    If you notice a large amount of login fail tentatives on server side, block any upcoming tentative from the client for a given amount of time, which will increase after futur failed attempts.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2