If validation has to be with the "authentication of the desktop application using the active login of the web application" (according to your words) the most correct is when the user authenticates in the web application that login generates an authentication "token" in the system.
I'd advise having a table, for example, "UserToken" instead of saving to "Session":
CREATE TABLE [dbo].[UsuarioToken] (
[Token] UNIQUEIDENTIFIER NOT NULL,
[IdUsuario] SMALLINT NOT NULL,
[DataInicial] DATETIME DEFAULT (getdate()) NOT NULL,
[DataFinal] DATETIME NULL,
PRIMARY KEY CLUSTERED ([Token] ASC),
CONSTRAINT [FK_UsuarioToken_Usuario] FOREIGN KEY ([IdUsuario]) REFERENCES [dbo].[Usuario] ([idUsuario]));
By logging in to the web, it creates the token with the access date (Start Date). Disabling the token (DataFinal). Note that the Start Date is DEFAULT
getdate()
, DataFinal
, because it will be the date and time the user "moves" from the web application. It will be DataFinal
when NULL
that will indicate whether the token is active or not.
With the token created, it will now depend on your business rule and whatever else is applicable and / or feasible for your situation, so the following is just an example / idea:
In the desktop application:
-
Instead of having a form with User and Password, it would have a form to indicate the "access key", token created in the web login, that could be sent to the "client" via e- mail this one of the data of register of the user). If active token, eg ValidarToken(Guid token)
, does the processing, if it does not return that token is invalid.
-
Have a login form with username and password to identify and validate, the first time, if the user (user) is registered in the web system, after this check if token ("access key") is associated with the user who is logged in and if token is active in the web system. In short, you once identify whether the user and password is valid, whether valid checks for an active "access key" in the web application, whether there is a token stored in a variable on the desktop and in the next processes that requires token, such as it is already stored in memory, it only verifies that it is still active in the web application ValidarToken(Guid token)
. If it is not, return to the login process again.
I emphasize security rules because the token must be invalidated after all necessary processes are performed on the desktop.