ASP Login page for ASP.NET Application

asp-classicasp.net

In my work place, we have several classic ASP and ASP.NET application.

All these application though doing different works are integrated through a single sign on mode, which is handled by one main application.

The main application is in classic ASP and verifies the userid and password initially and then stores the UserID in a session variable, which is then used by all other ASP and ASP.NET page as a valid Authenticated user. (For DOT NET pages we use session bridging)

Is this how authentication is done is classic ASP? (I dont know classic ASP much)

From the time I was introduced to this setup, I started to worry whether this setup is flawless? Is there any better way to handle the same ?

Will it be possible to authenticate for both classic asp and DOT NET in the same login page?

Best Solution

In my Classic ASP applications I have always done roughly what you describe. When the user uses the login page their credentials are authenticated and then User ID and other relevant information is stored to the session cookie.

The potential flaw in this approach is that in theory a user can alter their session cookie locally so when they make requests to your application they appear to be another user which is a security risk. The way I usually get around this is that when I store the User info in the session cookie I generate an authentication code based on this information and some hidden salting information (specifically I build a string of info and hash it with SHA256).

Then you can regularly recheck the authentication code to see if it matches the expected code for that user, should the cookie be altered in any way the authentication code will no longer match the expected code and the user gets booted out.

The main issue you might have in doing something similar is finding implementations of Hashing algorithms in both ASP and ASP.Net that give the same hashed value for a given output string - or making sure you convert appropriately.

Personally I've used Frez's free SHA256 implementation for classic ASP http://www.frez.co.uk/vb6.aspx which returns the result as a 64 character hex encoded lower case string while for ASP.Net I've used System.Security.Cryptography.SHA256Managed http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256managed.aspx which returns the result as the same but upper case (with a bit of work involved - see example below). So all you need is a simple case conversion call.

Function SHA256(ByVal input As String)
    Dim bytInput() As Byte
    Dim bytHash() As Byte
    Dim objBuilder As New StringBuilder
    Dim objCrypto As New SHA256Managed
    Dim intI As Integer

    bytInput = Encoding.ASCII.GetBytes(input)
    objCrypto = New SHA256Managed()
    bytHash = objCrypto.ComputeHash(bytInput)

    For intI = 0 To UBound(bytHash)
        objBuilder.Append(Hex(bytHash(intI)))
    Next

    Return objBuilder.ToString()
End Function

Website:

The Web Site project is compiled on the fly. You end up with a lot more DLL files, which can be a pain. It also gives problems when you have pages or controls in one directory that need to reference pages and controls in another directory since the other directory may not be compiled into the code yet. Another problem can be in publishing.

If Visual Studio isn't told to re-use the same names constantly, it will come up with new names for the DLL files generated by pages all the time. That can lead to having several close copies of DLL files containing the same class name, which will generate plenty of errors. The Web Site project was introduced with Visual Studio 2005, but it has turned out not to be popular.

Web Application:

The Web Application Project was created as an add-in and now exists as part of SP 1 for Visual Studio 2005. The main differences are the Web Application Project was designed to work similarly to the Web projects that shipped with Visual Studio 2003. It will compile the application into a single DLL file at build time. To update the project, it must be recompiled and the DLL file published for changes to occur.

Another nice feature of the Web Application project is it's much easier to exclude files from the project view. In the Web Site project, each file that you exclude is renamed with an excluded keyword in the filename. In the Web Application Project, the project just keeps track of which files to include/exclude from the project view without renaming them, making things much tidier.

Reference

The article ASP.NET 2.0 - Web Site vs Web Application project also gives reasons on why to use one and not the other. Here is an excerpt of it:

You need to migrate large Visual Studio .NET 2003 applications to VS 2005? use the Web Application project.

You want to open and edit any directory as a Web project without creating a project file? use Web Site project.

You need to add pre-build and post-build steps during compilation? use Web Application project.

You need to build a Web application using multiple Web projects? use the Web Application project.

You want to generate one assembly for each page? use the Web Site project.

You prefer dynamic compilation and working on pages without building entire site on each page view? use Web Site project.

You prefer single-page code model to code-behind model? use Web Site project.

Web Application Projects versus Web Site Projects (MSDN) explains the differences between the web site and web application projects. Also, it discusses the configuration to be made in Visual Studio.

I just discovered why all ASP.Net websites are slow, and I am trying to work out what to do about it

If your page does not modify any session variables, you can opt out of most of this lock.

<% @Page EnableSessionState="ReadOnly" %>

If your page does not read any session variables, you can opt out of this lock entirely, for that page.

<% @Page EnableSessionState="False" %>

If none of your pages use session variables, just turn off session state in the web.config.

<sessionState mode="Off" />

I'm curious, what do you think "a ThreadSafe collection" would do to become thread-safe, if it doesn't use locks?

Edit: I should probably explain by what I mean by "opt out of most of this lock". Any number of read-only-session or no-session pages can be processed for a given session at the same time without blocking each other. However, a read-write-session page can't start processing until all read-only requests have completed, and while it is running it must have exclusive access to that user's session in order to maintain consistency. Locking on individual values wouldn't work, because what if one page changes a set of related values as a group? How would you ensure that other pages running at the same time would get a consistent view of the user's session variables?

I would suggest that you try to minimize the modifying of session variables once they have been set, if possible. This would allow you to make the majority of your pages read-only-session pages, increasing the chance that multiple simultaneous requests from the same user would not block each other.

Best Solution

Related Solutions

.net – ASP.NET Web Site or ASP.NET Web Application

Website:

Web Application:

I just discovered why all ASP.Net websites are slow, and I am trying to work out what to do about it

Related Question