Sharing login-system between classic ASP and ASP.Net

Question

A client uses classic ASP to log in to their web based backoffice.

I have written a new ASP.Net app to be included in the backoffice, and I need to utilize the already existing login-system, so that when they are logged in there, they don't need to log in again in the new ASP.Net app.

Logins and passwords are stored as clear text in a SQL Server db, that I can access from my ASP.Net app.

What would be an effective way to integrate these systems?

My current best idea is: In the link to my ASP.Net app, I link to a "gateway" login-page with their userid and a hashed password + common secret in the querystring. I then compare this to the password of the user in the database... But the problem is, that if this querystring is intercepted, it can be used to access the asp.net site, without actually knowing the username and password...

I am most likely overlooking something simple.

Answer 1

I think your idea is on the right path.

As you probably already know, classic asp and asp.net cannot share the same session state, so you do need to have a mechanism to log from one into the other.

What I would do is: when someone logs in, create a unique GUID that you save in the database for that user. When you jump from one site to the other, pass that GUID into the query string. When you try to auto-log them into the other site, look up that GUID and see if it's attached to anyone. If it is, log them in.

This way you aren't passing anything that a user could guess or decrypt.