Compartilhar via


Verifying the Parent-Child Relationship

Verifying the Parent-Child Relationship

The Microsoft® Kids Passport service requires every child who has a Microsoft® .NET Passport to be associated with a parent who has a .NET Passport. The parent-child relationship grants the parent special privileges to oversee the child's account, including the ability to view or delete personal information stored about the child. When a user attempts to access a child's personal information through the Account Data or Account Removal pages, it is important to verify that that user is actually the parent associated with the child whose information is being accessed. You can verify the parent-child relationship through the kppvc parameter.

Using the kppvc Parameter to Verify the Parent-Child Relationship

Parents access your Account Data and Account Removal pages through links on the Kids Passport site. Kids Passport silently authenticates the parent by redirecting to the Login server. After the parent is successfully authenticated, your Account Data Page or Account Removal Page is invoked as the return URL for the authentication call, and the kppvc parameter is included in the return URL.

You must use the kppvc parameter to verify the parent-child relationship before you allow a user to access a child's data through your Account Data page or Account Removal page.

The kppvc parameter provides six values:

  • cmidh
    The MemberIDHigh for the child whose data is being accessed, in hexadecimal format.
  • cmidl
    The MemberIDLow for the child whose data is being accessed, in hexadecimal format.
  • pmidh
    The MemberIDHigh value for the parent, in hexadecimal format.
  • pmidl
    The MemberIDLow value for the parent, in hexadecimal format.
  • cmn
    The child's name, from the child's .NET Passport profile.
  • cas
    The consent status for this child.

    cas=0 indicates no consent or that consent is denied; cas=1 indicates limited consent; and cas=2 indicates full consent.

To obtain these six values from the kppvc parameter, use the Decompress and Decrypt methods to obtain a string of key-value pairs, and then obtain individual key-value pairs from this string. The decompressed and decrypted kppvc string is formatted in a similar way to query string parameters in a URL. Each key-value pair is separated by a '&' character, and each key and value is separated by a '=' character.

<%
' Global variables to store the values in kppvc.
dim cmidh, cmidl, pmidh, pmidl, cas

Sub Get_kppvc_values

    ' The Passport Crypt object provides the Decompress and Decrypt methods.
    set oCrypt = server.createObject("Passport.Crypt")

    ' Fetch the kppvc string.
    kppvc = Request.QueryString("kppvc")

    ' First decrypt.
    kppvc = oCrypt.Decrypt(kppvc)
    ' Then decompress.
    kppvc = oCrypt.Decompress(kppvc)
   
    ' Get an array of key-value pairs.
    kppvcArray = Split(decompressed_kppvc,"&")

    ' Get the individual values.
    x = LBound(kppvcArray)
    While x <= UBound(kppvcArray)

        ' Split each key-value pair into separate array elements.
        keyvalueArray = Split(kppvcArray(x), "=")
 
        Select Case keyvalueArray(0)
            Case "cmidh"
                cmidh = keyvalueArray(1)
            Case "cmidl"
                cmidl = keyvalueArray(1)
            Case "pmidh"
                pmidh = keyvalueArray(1)
            Case "pmidl"
                pmidl = keyvalueArray(1)
            Case "cas"
                cas = keyvalueArray(1)
       End Select
       x = x + 1
	   
    Wend

End Sub
%>

After you have obtained the values embedded in the kppvc parameter, use these values to determine which child's data should be accessed as well as to verify that the current user is that child's parent. You should verify that the parent's .NET Passport Unique ID (PUID), stored in the pmidh and pmidl values of the kppvc parameter, matches the PUID of the currently signed-in user. If the PUID is different, then this is an invalid user trying to access the child's information. For more information, see Account Data Page and Account Removal Page.

If you need to reauthenticate a parent who is accessing your Account Data or Account Removal page, or if the user is not linked to the child whose information is being accessed, redirect the user to the Login server. Use the AuthURL2 method to obtain the authentication call URL and specify KPP=4 in the authentication call. This will cause the kppvc parameter to be included in the return URL. If you specify KPP=4, you must also include the value of the kppvc parameter that was included when the user first accessed your Account Data or Account Removal page. Append the kppvc parameter and its value to the authentication call URL that is provided by the AuthURL2 method. If you specify KPP=4 and do not include the kppvc parameter, an error will be displayed to the user. You should also specify ForceLogin=True on the authentication call, to ensure that the Login server prompts the user for credentials. For more information about using the KPP parameter in authentication calls, see Checking for Consent.

See Also

Manager.AuthURL2 | MemberIDLow | MemberIDHigh | Crypt.Decompress | Crypt.Decrypt