468,284 Members | 1,549 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,284 developers. It's quick & easy.

how can I transfer the login information from classic asp to asp.net, without exposing the password?

I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp application.

I can't put the password in the classic asp page form as a hidden field and
submit it, because someone can view source and see the password.

This is a security problem I encounter in a mixed classic asp and asp.net
environment. I don't want to force the users to log in again when they
access the asp.net pages, but how can I transfer the login information from
classic asp to asp.net, without exposing the password? The client doesn't
want integrated security, which would fix everything.

Thanks
Bill
Nov 19 '05 #1
3 1886
Same q was posted by some one yesterday...

One way to handle this is by using a DB driven custom session management (to
keep user information). A single cookie will identify the user(and thus an
entry in DB) from both .NET and ASP pages.

Google for "Session sharing between asp and asp.net"

HTH


"bill" wrote:
I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp application.

I can't put the password in the classic asp page form as a hidden field and
submit it, because someone can view source and see the password.

This is a security problem I encounter in a mixed classic asp and asp.net
environment. I don't want to force the users to log in again when they
access the asp.net pages, but how can I transfer the login information from
classic asp to asp.net, without exposing the password? The client doesn't
want integrated security, which would fix everything.

Thanks
Bill

Nov 19 '05 #2
Are both applications in the same domain? You could use a cookie to
represent an authenticated user. Both applications will interpret and
honor the cookie.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Fri, 7 Oct 2005 11:24:27 -0400, "bill" <be****@datamti.com> wrote:
I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp application.

I can't put the password in the classic asp page form as a hidden field and
submit it, because someone can view source and see the password.

This is a security problem I encounter in a mixed classic asp and asp.net
environment. I don't want to force the users to log in again when they
access the asp.net pages, but how can I transfer the login information from
classic asp to asp.net, without exposing the password? The client doesn't
want integrated security, which would fix everything.

Thanks
Bill


Nov 19 '05 #3
bill wrote:
I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp application.

I can't put the password in the classic asp page form as a hidden field and
submit it, because someone can view source and see the password.

This is a security problem I encounter in a mixed classic asp and asp.net
environment. I don't want to force the users to log in again when they
access the asp.net pages, but how can I transfer the login information from
classic asp to asp.net, without exposing the password? The client doesn't
want integrated security, which would fix everything.

Thanks
Bill

Hi Bill,

My current version of this uses four pages, and still might flash the
password briefly in the status bar:

Home.htm (actually an ASP classic page) has the login form on it. It
submits to Services/Login.asp using POST.

Login.asp has a response.Redirect to Services/Login.aspx, which pushes
the parameters into the query string (since I can't seem to POST
directly to Login.aspx.

Login.aspx performs the authentication. It then redirects to Home.htm
(passing parameters by query string to say why the login failed), or to
the Service homepage (if they logged in succesfully and they are only a
member of one service), or to Services/SelectService.aspx (if they are
authorised to use multiple services). Importantly, the user never
remains on this page (since in that case, the password would appear in
the address bar)

I know this probably doesn't directly help you, but hopefully provides
some food for thought?

Damien

Nov 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Phillip Armitage | last post: by
reply views Thread by aure_bobo | last post: by
1 post views Thread by EricRybarczyk | last post: by
reply views Thread by daokfella | last post: by
2 posts views Thread by MrBee | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.