Safest way to pass data between web apps?

Discussion in 'ASP .Net Security' started by J. Shane Kunkle, Mar 11, 2005.

  1. I have an asp.net application that uses windows authentication. We need to
    loosely integrate another web application (written in cold fusion - hosted
    on another server) with my app (Loosely = provide a link to their app and
    they will link to ours). Both systems use the same user information so once
    they are authenticated by my app we would like to pass their information to
    the other app to avoid making users log in two (or more) times.

    Obviously these parameters rule out a few things (session, cache, etc) - we
    do share a database but this seems like overkill to me. As far as I know
    server.transfer only works between web forms. My last resort is to use the
    query string with encrypted data - but I'm trying to avoid this for obvious
    reasons.

    Any advice or direction is appreciated! Thanks in advance,
    J. Shane Kunkle
     
    J. Shane Kunkle, Mar 11, 2005
    #1
    1. Advertising

  2. J. Shane Kunkle

    gaidar Guest

    Try to use Web-service to pass information about the user between
    web-applications. For example, having logged in user went to another
    web-site using some link. At that time you sould create a temporary record
    in the database with user info (login, id and etc.) - for these info you
    sould create temporary ID and pass it trough the url to another web-app.
    That app should call your web-service and get all information from database.

    If you can't pass anothing to the url or want users to automatically login
    even if they are just type the url of the other site in another browser's
    window then use permanent cookie files (this will forks only if both
    application have urls in one domain).

    Gaidar

    "J. Shane Kunkle" <> wrote in message
    news:%...
    >I have an asp.net application that uses windows authentication. We need to
    >loosely integrate another web application (written in cold fusion - hosted
    >on another server) with my app (Loosely = provide a link to their app and
    >they will link to ours). Both systems use the same user information so once
    >they are authenticated by my app we would like to pass their information to
    >the other app to avoid making users log in two (or more) times.
    >
    > Obviously these parameters rule out a few things (session, cache, etc) -
    > we do share a database but this seems like overkill to me. As far as I
    > know server.transfer only works between web forms. My last resort is to
    > use the query string with encrypted data - but I'm trying to avoid this
    > for obvious reasons.
    >
    > Any advice or direction is appreciated! Thanks in advance,
    > J. Shane Kunkle
    >
    >
    >
     
    gaidar, Mar 12, 2005
    #2
    1. Advertising

  3. I dont think the DB is overkill at all. In fact, I think it is probably the
    most efficient, and safest method to do so. Its faster than reposting the
    data across to the other app and the "receiving" app can extract only the
    information it requires as need, as opposed to having to send all the
    information, just in case the app requires it.

    --

    - Paul Glavich
    ASP.NET MVP
    ASPInsider (www.aspinsiders.com)


    "J. Shane Kunkle" <> wrote in message
    news:%...
    > I have an asp.net application that uses windows authentication. We need to
    > loosely integrate another web application (written in cold fusion - hosted
    > on another server) with my app (Loosely = provide a link to their app and
    > they will link to ours). Both systems use the same user information so

    once
    > they are authenticated by my app we would like to pass their information

    to
    > the other app to avoid making users log in two (or more) times.
    >
    > Obviously these parameters rule out a few things (session, cache, etc) -

    we
    > do share a database but this seems like overkill to me. As far as I know
    > server.transfer only works between web forms. My last resort is to use the
    > query string with encrypted data - but I'm trying to avoid this for

    obvious
    > reasons.
    >
    > Any advice or direction is appreciated! Thanks in advance,
    > J. Shane Kunkle
    >
    >
    >
     
    Paul Glavich [MVP ASP.NET], Mar 13, 2005
    #3
  4. J. Shane Kunkle

    gaidar Guest

    Hi, Paul,

    Yeah, but if there is a way to use one database. Anyway you should pass user
    id between two web-applications.

    Gaidar

    "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    news:...
    >I dont think the DB is overkill at all. In fact, I think it is probably the
    > most efficient, and safest method to do so. Its faster than reposting the
    > data across to the other app and the "receiving" app can extract only the
    > information it requires as need, as opposed to having to send all the
    > information, just in case the app requires it.
    >
    > --
    >
    > - Paul Glavich
    > ASP.NET MVP
    > ASPInsider (www.aspinsiders.com)
    >
    >
    > "J. Shane Kunkle" <> wrote in message
    > news:%...
    >> I have an asp.net application that uses windows authentication. We need
    >> to
    >> loosely integrate another web application (written in cold fusion -
    >> hosted
    >> on another server) with my app (Loosely = provide a link to their app and
    >> they will link to ours). Both systems use the same user information so

    > once
    >> they are authenticated by my app we would like to pass their information

    > to
    >> the other app to avoid making users log in two (or more) times.
    >>
    >> Obviously these parameters rule out a few things (session, cache, etc) -

    > we
    >> do share a database but this seems like overkill to me. As far as I know
    >> server.transfer only works between web forms. My last resort is to use
    >> the
    >> query string with encrypted data - but I'm trying to avoid this for

    > obvious
    >> reasons.
    >>
    >> Any advice or direction is appreciated! Thanks in advance,
    >> J. Shane Kunkle
    >>
    >>
    >>

    >
    >
     
    gaidar, Mar 13, 2005
    #4
  5. Or simply a generated/custom session ID.

    The less user specific info you can pass the better IMHO. A user ID is easy
    to spoof. A GUID like session ID is much harder (in terms of relating it to
    a set of information as its just an arbitrary ID/number).

    From your last email, it sounded like you had a common database. Anyways,
    the most secure is using a certificate based approach I think. Use an
    asymetric algorithm and the public key to encrypt the data, stuff it into a
    form which you post to the receiving application, the receiving application
    can decrypt with the private key after extracting the encrypted valies from
    the form.

    --

    - Paul Glavich
    ASP.NET MVP
    ASPInsider (www.aspinsiders.com)


    "gaidar" <> wrote in message
    news:...
    > Hi, Paul,
    >
    > Yeah, but if there is a way to use one database. Anyway you should pass

    user
    > id between two web-applications.
    >
    > Gaidar
    >
    > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    > news:...
    > >I dont think the DB is overkill at all. In fact, I think it is probably

    the
    > > most efficient, and safest method to do so. Its faster than reposting

    the
    > > data across to the other app and the "receiving" app can extract only

    the
    > > information it requires as need, as opposed to having to send all the
    > > information, just in case the app requires it.
    > >
    > > --
    > >
    > > - Paul Glavich
    > > ASP.NET MVP
    > > ASPInsider (www.aspinsiders.com)
    > >
    > >
    > > "J. Shane Kunkle" <> wrote in message
    > > news:%...
    > >> I have an asp.net application that uses windows authentication. We need
    > >> to
    > >> loosely integrate another web application (written in cold fusion -
    > >> hosted
    > >> on another server) with my app (Loosely = provide a link to their app

    and
    > >> they will link to ours). Both systems use the same user information so

    > > once
    > >> they are authenticated by my app we would like to pass their

    information
    > > to
    > >> the other app to avoid making users log in two (or more) times.
    > >>
    > >> Obviously these parameters rule out a few things (session, cache,

    etc) -
    > > we
    > >> do share a database but this seems like overkill to me. As far as I

    know
    > >> server.transfer only works between web forms. My last resort is to use
    > >> the
    > >> query string with encrypted data - but I'm trying to avoid this for

    > > obvious
    > >> reasons.
    > >>
    > >> Any advice or direction is appreciated! Thanks in advance,
    > >> J. Shane Kunkle
    > >>
    > >>
    > >>

    > >
    > >

    >
    >
     
    Paul Glavich [MVP ASP.NET], Mar 14, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    7
    Views:
    1,579
  2. rbt
    Replies:
    3
    Views:
    363
    Fredrik Lundh
    Feb 14, 2005
  3. Joseph Turian
    Replies:
    2
    Views:
    320
    Daniel Bickett
    Jul 27, 2005
  4. H5N1
    Replies:
    0
    Views:
    635
  5. Aussie Rules

    safest way to pass parameters between pages

    Aussie Rules, Oct 9, 2007, in forum: ASP .Net
    Replies:
    3
    Views:
    573
    Steven Cheng[MSFT]
    Oct 9, 2007
Loading...

Share This Page