Compartir a través de

Linking Parent and Child

  • Artículo

Linking Parent and Child

The Kids Passport service requires every child who has a .NET Passport to be associated with a parent who has a .NET Passport. The parent-child relationship grants the parent special privileges to oversee the child's .NET Passport account. One of these parental privileges gives parents the ability to view or delete any personal information that a site stores about their child. The Account Data and Account Removal pages that you provide on your site enable parents to exercise this privilege. When a user attempts to access a child's personal information through the Account Data or Account Removal page, it is important to verify that that user is actually the parent who is associated with the child whose information is being accessed. Kids Passport provides the kppvc parameter to enable participating sites to verify the parent-child relationship.

Using the kppvc Parameter to Verify the Parent-Child Relationship

Parents access your Account Data and Account Removal pages through links on the Kids Passport site. When a parent accesses either of these pages from the Kids Passport site, Kids Passport silently authenticates the parent by redirecting to the Login server. After the parent is successfully authenticated, your Account Data Page or Account Removal Page as the return URL for the authentication call, and the kppvc parameter is included in the return URL.

You must use the kppvc parameter to verify the parent-child relationship before you allow a user to access a child's data through your Account Data page or Account Removal page. The kppvc parameter also enables you to identify the child whose data is being accessed.

The kppvc parameter provides six values:

  • cmidh— The MemberIDHigh for the child whose data is being accessed, in hexadecimal format.
  • cmidl— The MemberIDLow for the child whose data is being accessed in hexadecimal format.
  • pmidh— The MemberIDHigh value for the parent, in hexadecimal format.
  • pmidl— The MemberIDLow value for the parent, in hexadecimal format.
  • cmn— The child's name, from the child's .NET Passport profile.
  • cas— The consent status for this child. cas=0 indicates that the child has no consent, cas=1 indicates limited consent, and cas=2 indicates full consent.

To obtain these six values from the kppvc parameter, use the Decompress and Decrypt methods to obtain a string of key-value pairs, and then obtain individual key-value pairs from this string. The decompressed and decrypted kppvc string is formatted similarly to query string parameters in a URL. Each key-value pair is separated by a '&' character, and each key and value is separated by a '=' character.

[UNTESTED CODE SAMPLE.]

<%
' Global variables to store the values in kppvc.
dim cmidh, cmidl, pmidh, pmidl, cas

Sub Get_kppvc_values

    ' The Passport Crypt object provides the Decompress and Decrypt methods.
    set oCrypt = server.createObject("Passport.Crypt")

    ' Fetch the kppvc string.
    kppvc = Request.QueryString("kppvc")

    ' First decrypt.
    kppvc = oCrypt.Decrypt(kppvc)
    ' Then decompress.
    kppvc = oCrypt.Decompress(kppvc)
   
    ' Get an array of key-value pairs.
    kppvcArray = Split(decompressed_kppvc,"&")

    ' Get the individual values.
    x = LBound(kppvcArray)
    While x = UBound(kppvcArray)

        ' Split each key-value pair into separate array elements.
        keyvalueArray = Split(kppvcArray(x), "=")
 
        Select Case keyvalueArray(0)
            Case "cmidh"
                cmidh = keyvalueArray(1)
            Case "cmidl"
                cmidl = keyvalueArray(1)
            Case "pmidh"
                pmidh = keyvalueArray(1)
            Case "pmidl"
                pmidl = keyvalueArray(1)
            Case "cas"
                cas = keyvalueArray(1)
       End Select

    Wend

End Sub
%>

After you have obtained the values embedded in the kppvc parameter, use these values to determine which child's data should be accessed by the Account Data page or the Account Removal page, and also to verify that the current user is that child's parent. For more information, see Account Data Page and Account Removal Page.

If you ever need to re-authenticate a parent who is accessing your Account Data or Account Removal page, or the user is not linked with the child whose information is being accessed, redirect the user to the Login server. Use the AuthURL2 method to obtain the authentication call URL and specify KPP=4 in the authentication call. Specifying KPP=4 causes the kppvc parameter to be included in the return URL. If you specify KPP=4, you must also include the value of the kppvc parameter that was included when the user first accessed your Account Data or Account Removal page. Append the kppvc parameter and its value to the authentication call URL that is provided by the AuthURL2 method. If you specify KPP=4 and do not include the kppvc parameter, an error will be displayed to the user. You should also specify ForceLogin=True on the authentication call, to ensure that the Login server prompts the user for credentials. For more information about the using the KPP parameter in authentication calls, see Checking for Consent.

See Also

Manager.AuthURL2 | MemberIDLow | MemberIDHigh