ASP Login page for ASP.NET Application

In my work place, we have several classic ASP and ASP.NET application.

All these application though doing different works are integrated through a single sign on mode, which is handled by one main application.

The main application is in classic ASP and verifies the userid and password initially and then stores the UserID in a session variable, which is then used by all other ASP and ASP.NET page as a valid Authenticated user. (For DOT NET pages we use session bridging)

Is this how authentication is done is classic ASP? (I dont know classic ASP much)

From the time I was introduced to this setup, I started to worry whether this setup is flawless? Is there any better way to handle the same ?

Will it be possible to authenticate for both classic asp and DOT NET in the same login page?

Best Solution

In my Classic ASP applications I have always done roughly what you describe. When the user uses the login page their credentials are authenticated and then User ID and other relevant information is stored to the session cookie.

The potential flaw in this approach is that in theory a user can alter their session cookie locally so when they make requests to your application they appear to be another user which is a security risk. The way I usually get around this is that when I store the User info in the session cookie I generate an authentication code based on this information and some hidden salting information (specifically I build a string of info and hash it with SHA256).

Then you can regularly recheck the authentication code to see if it matches the expected code for that user, should the cookie be altered in any way the authentication code will no longer match the expected code and the user gets booted out.

The main issue you might have in doing something similar is finding implementations of Hashing algorithms in both ASP and ASP.Net that give the same hashed value for a given output string - or making sure you convert appropriately.

Personally I've used Frez's free SHA256 implementation for classic ASP which returns the result as a 64 character hex encoded lower case string while for ASP.Net I've used System.Security.Cryptography.SHA256Managed which returns the result as the same but upper case (with a bit of work involved - see example below). So all you need is a simple case conversion call.

Function SHA256(ByVal input As String)
    Dim bytInput() As Byte
    Dim bytHash() As Byte
    Dim objBuilder As New StringBuilder
    Dim objCrypto As New SHA256Managed
    Dim intI As Integer

    bytInput = Encoding.ASCII.GetBytes(input)
    objCrypto = New SHA256Managed()
    bytHash = objCrypto.ComputeHash(bytInput)

    For intI = 0 To UBound(bytHash)

    Return objBuilder.ToString()
End Function
Related Question