Integrating BIRT in ASP.NET

Question

I don't have code for this yet, but I am planning to send asp.net session id as parameter to BIRT report engine.

Then in "Initialize" event in BIRT I am planning to call a page on the same asp.net application that will check if the session id is valid or not, several questions :

1. Do you think this is valid scenario?

2. Do you know any site who have solved this issue?

P.S the main purpose of this is security as I don't want people to use the BIRT URL outside the context of my .NET application.

Answer 1

First rule. Never. Ever. Ever. Use session for security. Just don't do it. Session is insecure, unreliable, and not intended for security.

Second, you can't have BIRT call an ASP page, since this will be a server-side call, it won't have the session cookie from the user, thus even doing what you are trying won't work. In effect, BIRT becomes the client.

There are many ways to control access to a site. One example, you can generate an access key which you pass to the BIRT server, which can then decode the key and verify that it's valid by using encryption. You can encrypt the date and time the key is generated, and make the key only valid for a short period of time. Then you decrypt the key on the BIRT server, compare the time and know if the user has access.

However, a better way would be to use something like OAuth to control access. Your asp.net and BIRT server exchange keys, do a validation, etc.. via the client and you know the the client has access because they have the bearer token.