Export (0) Print
Expand All

Handling the Response from the Service

Bb676640.note(en-us,MSDN.10).gifNote:
This topic describes functionality that will be obsolete. This functionality is provided only to support legacy applications. Live Connect incorporates features that provide equivalent functionality.

After users successfully sign in or out, the Windows Live ID service responds by redirecting them to your Web site—specifically to the return URL that you specified when you registered your application. You must implement a dynamic page on your site to receive and appropriately process this response.

Bb676640.note(en-us,MSDN.10).gifNote:
In the ASP.NET sample application, the page that handles the response is webauth-handler.aspx. This page uses the code in webauth-handler.aspx.cs. Also included is a function library called WindowsLiveLogin.cs. The sample applications for other platforms have a similar architecture.

Let's look briefly at the handling of responses during sign-in and sign-out.

Sign-in

When a user signs in, the response from the service is an HTTP POST to your site's return URL. Included in the response is the user's encrypted authentication token. The sample application stores the encrypted token in a session cookie called "webauthtoken" to keep the user signed in to your site during multiple page views. In the ASP.NET sample application, decryption of the authentication token to obtain the user's information is handled by the ProcessLogin function found in the WindowsLiveLogin.cs function library.

For more information about the parameters that the POST response contains, see Response Parameters. For more information about decrypting the token, see Token Format.

Sign-out

When the user clicks the sign-out link, the Windows Live ID service responds with two HTTP GET calls to your site. Both responses require your handler page to clear the session cookie that you created at sign-in, but in addition, one requires you to return an image and the other requires you to redirect the user. (We will discuss the difference between these sign-out responses in more detail later in this topic.)

How does your handler page determine which kind of response it has received? The rest of this topic answers that question and offers further details by walking you through some of the sample code.

To handle the response appropriately, your code must first check the action parameter as shown in the following excerpt based on the ASP.NET sample application.

HttpRequest req = HttpContext.Current.Request;
HttpResponse res = HttpContext.Current.Response;

// Extract the 'action' parameter from the request, if any.
string action = req["action"];

The action parameter tells your site what the Windows Live ID service requires it to do. The following table explains the possible values this parameter can have.

If action is Your site must do this

login

Extract the user's authentication token from the POST response and store it in a session cookie.

clearcookie

Clear the session cookie you created at sign-in and return a Graphics Interchange Format (GIF) image to the service to indicate that the user has been signed out.

logout

Clear the session cookie and redirect the signed-out user to a page on your site that is appropriate for unauthenticated users.

The next sections describe how the sample application reacts to the action parameter to process the rest of the response.

Handling the "login" (Sign-in) Action

If the action parameter is "login", the sample application creates a User object by calling the ProcessLogin method defined in the function library. The ProcessLogin method parses, decrypts, and validates the authentication token from the response so that you can access the user's unique ID easily. For more information about the token, see Token Format.

In the sample application, the user's Token property is set as a cookie called "webauthtoken" so that the user can remain signed in to your site during multiple page views. If the user's UsePersistentCookie property is true, a persistent cookie is used. Persistent cookies allow the user to remained signed in across multiple browser sessions.

Bb676640.note(en-us,MSDN.10).gifImportant:
Do not use persistent cookies if the value of the user's UsePersistentCookie property is false.

The following excerpt, which handles the "login" action parameter and demonstrates the use of ProcessLogin, is based on the ASP.NET sample application.

else if (action == "login")
{
    WindowsLiveLogin.User user = wll.ProcessLogin(Request.Form);

    HttpCookie loginCookie = new HttpCookie("webauthtoken");
    if(user != null)
    {
        loginCookie.Value = user.Token;
        if (user.UsePersistentCookie)
        {
            loginCookie.Expires = DateTime.Now.AddYears(10);
        }
    }
    else
    {
        loginCookie.Expires = DateTime.Now.AddYears(-10);
    }   
    Response.Cookies.Add(loginCookie);
    Response.Redirect("default.aspx");
    Response.End();
}

In addition to providing the functionality already described, the ProcessLogin method also populates the User object with the properties described in the following table.

Property Description

User.Id

An alphanumeric string that represents the unique user identifier. This identifier is both unique to this user and specific to your site.

User.Timestamp

A 32-bit integer that represents the time, in seconds, that the user was last authenticated as measured from 00:00:00 on January 1, 1970 (UTC).

User.Context

The context value originally specified in the IFRAME code for the sign-in link. For more information about context, see Displaying the Sign-in Link.

User.Token

The authentication token. This token can be cached in a cookie in your domain, and the user’s unique identifier can be retrieved by calling the ProcessToken method.

User.UsePersistentCookie

Boolean value that indicates the type of cookie in which your application is expected to store the user token. If true, use a persistent cookie; if false, you must use a session cookie.

Handling the "clearcookie" and "logout" (Sign-out) Actions

If the action parameter is "clearcookie", the sample code deletes the current "webauthtoken" site cookie. The code also calls the GetClearCookieResponse method defined in the function library of the sample application. GetClearCookieResponse returns a Graphics Interchange Format (GIF) image to the authentication server to indicate that the user has signed out. The following excerpt, which handles the "clearcookie" action parameter and demonstrates the use of GetClearCookieResponse, is based on the ASP.NET sample application.

else if (action == "clearcookie")
{
    HttpCookie loginCookie = new HttpCookie("webauthtoken");
    loginCookie.Expires = DateTime.Now.AddYears(-10);
    Response.Cookies.Add("webauthtoken");

    string type;
    byte[] content;
    wll.GetClearCookieResponse(out type, out content);
    Response.ContentType = type;
    Response.OutputStream.Write(content, 0, content.Length);

    Response.End();
}

If the action parameter is "logout", the code deletes the current "webauthtoken" site cookie and redirects the user to the page on your Web site that will be seen by users who are signed out. (In the sample application, this happens to be the same page that is used for sign-in.) The following excerpt, which handles the "logout" action parameter, is based on the ASP.NET sample application.

if (action == "logout")
{
    HttpCookie loginCookie = new HttpCookie("webauthtoken");
    loginCookie.Expires = DateTime.Now.AddYears(-10);
    Response.Cookies.Add("webauthtoken");
    Response.Redirect("default.aspx");
    Response.End();
} 

Other Resources

Live Connect

Show:
© 2014 Microsoft