Reputation: 1
Integrating FormsAuthentication from asp.net in classic asp
Recently i have been tasked with creating a single sign on between two web sites, wuth different domains. One runs under ASP.NET and the other under classic ASP. Since i have very little experience with ASP.NET (i'm a Java enthusiast) and ZERO experience in ASP (plus is dated and i hate it for that), i'm encountering a lot of difficulties. The first one being: how to pass the authentication cookie coming from the ASP.NET web to the ASP web?
I found this article, wich seems to describe exactly what i need:
But the problem is that it assumes a lot of previous knowledge on web development with the tools it uses (for instance, COM interoperability wrappers, API's and such ), and it's getting really hard to figure something out of it. However, i like the core idea of extracting the FormsAuthentication utilities and using them in legacy ASP.
So what i need is some guideline to achieve what is described in the link above in order to create at least a functional test (with functional meaning i can send credentials in a cookie from a dummy ASP.NET web and receive the cookie in a classic ASP form), or some alternative method to implement a single sign on between these two sites.
One important thing to note is that i cannot do this via wildcard mappings because i have no access to IIS configuration.
Upvotes: 0
Views: 597
Answers (3)
Reputation: 1
Well, it's not exactly what i was asking, but i found a nice article explaining how to transfer session state between asp.net and asp and viceversa. It's simple, not all that elegant, but gets the work done. I have been able to quickly implement it and worked wonders. Actually, i found two links:
- One explaining a simple method, not very secure, but easy and practic: http://www.nullskull.com/articles/20021207.asp
- Another one that implements security and uses XML to share data. It's interesting, but only explaining how to achieve this from ASP to ASP.NET. COuld be useful for many: http://www.nullskull.com/articles/20041017.asp
I used the first one since i was in a hurry, and then added a Token based authentication to improve security. So far, so good. Hope it helps.
Upvotes: 0
Reputation: 1365
It might seem hacky, but I'd generate a GUID on login to either domain, and send that GUID to the other site in headers or post as they cross between sites. When the unauthenticated site sees the GUID, a lookup will allow it to determine the intended account. In fact, make it a MD5 of AccountID and DateTime and you'll have yourself a value that's highly unlikely to be mistaken for another user's.
Upvotes: 0
Reputation: 23486
You will never be able to send authentication cookies received from one domain to a web site on another domain. The browsers same origin policy will prevent this.
To make this work, you want to look into a Single Sign On (SSO) solution where both web applications get their authentication cookies from the same Security Token Service (STS).
This is easy for ASP.NET. Look into the System.IdentityModel namespace. I have no clue if this is also available for classic ASP.
Good luck.
Upvotes: 2
Related Questions
- How to secure classic ASP ASPSESSIONID cookie?
- Set Session in Asp page using Asp.net
- Secure Authentication cookie Asp.Net
- Cookie and Authentication -ASP.net
- ASP.NET Authentication cookie
- Sharing login-system between classic ASP and ASP.Net
- How to use ASP classic authentification with ASP.NET?
- Classic ASP & ASP.Net Authentication
- authentication problem or bug
- Forms authentication for classic ASP on IIS 7.0