Transfer data across web sites other than using Querystring.

[SSirica]

Ok I need some help.  Can seem to ever get a question answered over at the other site.

I have 2 asp.net vb.net web apps.  We'll call them appA & appB.  Both have logins.  appB is accessible from appA via a button press.  When a user is sucessfully logged into appA I don't want them to have to log into appB.

What I'm trying to do is launch appB and bypass the login by passing in some unique data from appA to appB.  I know I can do this by using response.redirect or server.transfer with "http://localhost/appB/default.apsx?key=xxx", but passing data via the query string is a huge security risk.  

I've already tried webclient, and that was useless.  Bottomline is I'm looking for a way to launch appB and pass it some hidden data.  Any ideas?

[rdivilbiss]

You do not want to (can not safely) pass authentication information between the applications.

The only safe way to do this is to use an authentication manager.  Instead of (or in addition to) logging into either application, the client authenticates to the authentication manager and is issued a token.

The applications must be able to accept the token from a user and then query the authentication manager to determine if the token (user) is valid (authenticated).

The application is then responsible for determining what permissions the user has in that application.

When a user accesses a protected application that uses the authentication manager, that application redirects the user to the authentication manager. Once the authentication manager has verified a user's identity, it forwards them back to the original application. The authentication manager attaches a unique ticket number to the URL of the protected application. The protected application sees this ticket. It sends this ticket to the authentication manager. The authentication manager tells the protected application whether the ticket is valid and if so, the user ID that was used to obtain the ticket. The protected application reacts accordingly, allowing access if the ticket is valid.

When you log into the authentication manager (say https://www.domain.net/login/) a cookie is saved in your browser. This cookie contains a unique ticket number that identifies you to the the authentication manager application. Every time you access https://www.domain.net/login/ after you are logged in, your browser automatically transmits this cookie to the application manager application. The authentication manager reads the cookie, looks up the ticket in its database, and identifies you.

The protected applications behave a little differently. Say you access http://www.domain.net/application1/.  When you load up that page, the page requires that you be logged into the authentication manager to access it. How does this work? The page redirects you to

Code:

https://www.domain.net/login?app=http://www.domain.net/application1/

Once the authentication manager has verified the user is logged in, it sends the user back to the URL specified in the app parameter with a ticket appended to the URL, like

Code:

http://www.domain.net/application1?ticket=McPZ4NKfx6S0EhnCEkHc

The protected application retrieves that the ticket parameter and queries the authentication manager:

Code:

https://www.domain.net/login/validate=McPZ4NKfx6S0EhnCEkHc&app=http://www.domain.net/application1/

The authentication manager server replies with a message that describes the ticket. In describing the ticket, the authentication manager would at a minimum state if the ticket is valid (the user is logged in) and provide the username associated with the ticket.

In short, when a user requests access to an application that is protected by the authentication manager, that user gets whisked away to the the authentication manager application. Once they are logged in, the client is returned to the application with a unique service ticket. This is a personalized ticket, good for only one use, and a short period of time that will gain you access into the application. The the authentication manager application independently communicates with the application manager application to verify this ticket and if everything checks out, it lets the user in.

Code:

<%
Dim authApp
authApp = "www.domain.net/login"

'Declare additional variables used for redirect
Dim protocol ' (http or https)
Dim protectedAppURL
Dim userID

'Determine the protocol for the originitating page
if Request.ServerVariables("HTTPS") = "off" then
protocol = "http"
else
protocol = "https"
end if

'Construct the protectedAppURL variable based on ServerVariables
protectedAppURL = protocol & "://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("URL")

'Check to see if the 'ticket' variable was passed via the query string
if Request.QueryString("ticket") = "" then
'If no, then redirect to the application manager
Response.Redirect("https://" & authApp & "/login?app=" & protectedAppURL)
else
'If yes, create MSXML object and attempt to validate the ticket
Dim xmlhttp, ticket, authMgrResponse, authMgrResponseArray

' shoud filter for bad input here!!!
ticket = Request.QueryString("ticket")

Set xmlhttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
xmlhttp.open "GET", "https://" & authApp & "/validate?ticket="+ ticket +"&app=" & protectedAppURL, false

xmlhttp.send
authMgrResponse = xmlhttp.responseText
authMgrResponseArray = Split(authMgrResponse, Chr(10), -1, 1)
' yes = validate, no = not validated
if authMgrResponseArray(0) = "no" then
Response.Redirect("https://" & authApp & "/login?app=" & protectedAppURL)
else
userID = authMgrResponseArray(1)
'Response.write userID
end if
end if
%>

If your application has an existing login, you can modify the login to use the authentication manager (best) or modify it to ALSO accept tickets and use the authentication manager.

The authentication manager needs to verify the ticket is not expired (time limit). That time limit only needs to be long enough for both the protected application to respond and the authentication manager to validate the ticket...(milliseconds).

In .NET the first time a page is called, (which has not been  precomiled and cached) the delay can be several seconds, so you ticket timeout should be large enough to support that for both the original app and the authentication manager app.



[/list]

[SSirica]

Thanks Rod, but that's way over kill.  The login aspect of my scenario is secondary.  I'm not worried about that for this particular scenario.  What I'm really after is just a method to launch a second browser window and pass it some data other than to include in the URL via a querystring?

I'll have to give your authentication manager scenario a closer look.  I think it might come in handy for another couple of apps I have in the hopper.  That'll be a big help down the line.

Steve

[rdivilbiss]

Say your existing app uses Session("userid") to determine if a person is logged in.

(classic ASP but you can translate)

Code:

<%
if not Session("userid") then
   response.redirect(login.aspx?page=thisPage.aspx)
else
   authhorization=getAuthByUser(Session("userid"))
end if
%>

you do only need to change that to append the ticket parameter (if it exists).

Code:

<%
if not Session("userid") then
   response.redirect(login.aspx?page=thisPage.aspx&ticket="&request.querystring("ticket"))
else
   authhorization=getAuthByUser(Session("userid"))
end if
%>

In your existing login page check for the ticket parameter.

If it exists, query the authentication manager app and set Session("userid")=authMgrResponseArray(1).

If there is no ticket parameter you can use the existing login process, or (better) replace the existing login process  to use the authentication manager app.

Also, your authentication manager app must only accept queries from a list of known applications originating from known IPs.

[rdivilbiss]

Thanks Rod, but that's way over kill.  The login aspect of my scenario is secondary.  I'm not worried about that for this particular scenario.  What I'm really after is just a method to launch a second browser window and pass it some data other than to include in the URL via a querystring?

It seems harder than it is, and the mods to the existing login process are minimal.

The only (existing) methods you have to pass information between browser windows are subject to cross domain limitations (i.e. shared cookies won't help) or are easy to intercept and modify using a HTTP header inspector...think Firefox with the Tamper Data or Web Developer plugins.  Which is why I think you probably got little help at TOS.

The application manager app can be as simple as two pages.

One login page which can access the user database for all applications and issue tickets and one page which is essentially a simple web service to determine is a ticket is valid and return the userid.

In a highly secure environment, the auth mgr should be on a separate server and use PKI certificates to verify the transactions between itself and the applications.

In your simple scenario it is simply a go between for the existing login process for both applications.  e.g. issues one time tickets and provides validation.

[Chrigou2]

Hello SSirica,

Here you can find maybe what you want:
http://www.tele-pro.co.uk/scripts/xsess/index.htm

Thank's to rdivilbiss for this nice answer, It's a long time I try to find this solution !

[rdivilbiss]

Thank's to rdivilbiss for this nice answer, It's a long time I try to find this solution !

You're welcome!

[SSirica]

All the info was very helpfull.  Thanks to everybody.