Hi, I have two sites. One site written in ASP on web server 1 and another site writen in .NET on a seperate web server 2. I have written a security function that accepts login and assigns role etc... I would like to incorporate 1st website with this security. What is the best way to do this?

 

For example: User visits site 1 on a restricted area (written in ASP) -> is then redirected to site 2 to login (ASP.NET) and is then redirected back if login is succesful.

 

Thanks in advance!

The best way to do this would be to use Windows login accounts.  Those can be shared by both ASP and ASP.NET.  Second best would be to convert your ASP to ASP.NET.

You can't share sessions, you could use cookies but they come with their own problems, and you could pass the login information on  a query string, agasin with its own problems.  But there's no simple method for a single sign-on to ASP and ASP.NET and not using Windows accounts.

Jeff

Thanks for the answer Jeff!

Just so I understand correctly. Once I have logged into my ASP.NET site, there is no way that I can pass the information onto my ASP site except through cookies?

What are the problems with cookies? Can I not encrypt the information?

Thanks in advance

What if I could move both the ASP pages onto the web server that contains the .net pages. What would be the best way to use the security then?

 

Thanks in advance

Cookies aren't the only way.  You could store logged in status in a database.  Or a text file.  Cookies are just convenient.  But you have to deal with cookie expirations, whether or not a user allows cookies, how to set logged in sttaus in a cookie regardless of the app, there can be a lot of things to figure out.

Whether the apps are on the same server or not isn't the issue, but it helps to have them on the same IIS installation or domain.

Jeff

Would you be able to direct me to a tutorial or documentation that would help out? I need to implement a solution very soon so I am looking for a good way but also an easy way...

1. I think that storing the logged in status in the database would be the easiest way but I don't see how the user session would end?

2. I have my ASP.NET site creating a FormAuthenticationTicket and storing it in a cookie. Is there no way in ASP to grab this information?

 

Thanks again!

 

This sounds like a good possibility http://archive.devx.com/security/articles/ps0602/ps0602.asp but unforunately I only have https on one of the sites (.net site). I wonder if this is secure enough or do I have to have https on both sites? Hmmmm

 

Any ideas?

1.  That's the tough issue.  Timing out the session and updating the database are going to be problematic.

2.  You should be able to set and read cookies from both.  Whether ASP can use the FormAuthenticationTicket or not is something I can't answer.  The two issues with simply setting a cookie and reading that for logged in status are encryption/spoofing and clients accepting cookies.  You can always expire a cookie to log someone out after a time period.

There is another option that might work, running the ASP app inside an IFRAME on an ASP.NET page.  Not sure if your app would allow that or not.

Jeff

I think that I am just going to move all of the ASP code over to the same server so they will both be on HTTPS and then pass cookies back and forth. Thanks for your help. And by the way the asp app inside of an iframe is an intersting solution. I am curious if it would work?