how can I transfer the login information from classic asp to asp.net, without exposing the password?

[bill]

I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp application.

I can't put the password in the classic asp page form as a hidden field and
submit it, because someone can view source and see the password.

This is a security problem I encounter in a mixed classic asp and asp.net
environment. I don't want to force the users to log in again when they
access the asp.net pages, but how can I transfer the login information from
classic asp to asp.net, without exposing the password? The client doesn't
want integrated security, which would fix everything.

Thanks
Bill

 

[Guest]

Same q was posted by some one yesterday...

One way to handle this is by using a DB driven custom session management (to
keep user information). A single cookie will identify the user(and thus an
entry in DB) from both .NET and ASP pages.

Google for "Session sharing between asp and asp.net"

HTH

 

[Scott Allen]

Are both applications in the same domain? You could use a cookie to
represent an authenticated user. Both applications will interpret and
honor the cookie.

 

[Damien]

I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp application.

I can't put the password in the classic asp page form as a hidden field and
submit it, because someone can view source and see the password.

This is a security problem I encounter in a mixed classic asp and asp.net
environment. I don't want to force the users to log in again when they
access the asp.net pages, but how can I transfer the login information from
classic asp to asp.net, without exposing the password? The client doesn't
want integrated security, which would fix everything.

Thanks
Bill

Hi Bill,

My current version of this uses four pages, and still might flash the
password briefly in the status bar:

Home.htm (actually an ASP classic page) has the login form on it. It
submits to Services/Login.asp using POST.

Login.asp has a response.Redirect to Services/Login.aspx, which pushes
the parameters into the query string (since I can't seem to POST
directly to Login.aspx.

Login.aspx performs the authentication. It then redirects to Home.htm
(passing parameters by query string to say why the login failed), or to
the Service homepage (if they logged in succesfully and they are only a
member of one service), or to Services/SelectService.aspx (if they are
authorised to use multiple services). Importantly, the user never
remains on this page (since in that case, the password would appear in
the address bar)

I know this probably doesn't directly help you, but hopefully provides
some food for thought?

Damien