Safest way to pass data between web apps?

J

J. Shane Kunkle

I have an asp.net application that uses windows authentication. We need to
loosely integrate another web application (written in cold fusion - hosted
on another server) with my app (Loosely = provide a link to their app and
they will link to ours). Both systems use the same user information so once
they are authenticated by my app we would like to pass their information to
the other app to avoid making users log in two (or more) times.

Obviously these parameters rule out a few things (session, cache, etc) - we
do share a database but this seems like overkill to me. As far as I know
server.transfer only works between web forms. My last resort is to use the
query string with encrypted data - but I'm trying to avoid this for obvious
reasons.

Any advice or direction is appreciated! Thanks in advance,
J. Shane Kunkle
(e-mail address removed)
 
G

gaidar

Try to use Web-service to pass information about the user between
web-applications. For example, having logged in user went to another
web-site using some link. At that time you sould create a temporary record
in the database with user info (login, id and etc.) - for these info you
sould create temporary ID and pass it trough the url to another web-app.
That app should call your web-service and get all information from database.

If you can't pass anothing to the url or want users to automatically login
even if they are just type the url of the other site in another browser's
window then use permanent cookie files (this will forks only if both
application have urls in one domain).

Gaidar
 
P

Paul Glavich [MVP ASP.NET]

I dont think the DB is overkill at all. In fact, I think it is probably the
most efficient, and safest method to do so. Its faster than reposting the
data across to the other app and the "receiving" app can extract only the
information it requires as need, as opposed to having to send all the
information, just in case the app requires it.
 
G

gaidar

Hi, Paul,

Yeah, but if there is a way to use one database. Anyway you should pass user
id between two web-applications.

Gaidar
 
P

Paul Glavich [MVP ASP.NET]

Or simply a generated/custom session ID.

The less user specific info you can pass the better IMHO. A user ID is easy
to spoof. A GUID like session ID is much harder (in terms of relating it to
a set of information as its just an arbitrary ID/number).

From your last email, it sounded like you had a common database. Anyways,
the most secure is using a certificate based approach I think. Use an
asymetric algorithm and the public key to encrypt the data, stuff it into a
form which you post to the receiving application, the receiving application
can decrypt with the private key after extracting the encrypted valies from
the form.

--

- Paul Glavich
ASP.NET MVP
ASPInsider (www.aspinsiders.com)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top