Forms Authentication and classic ASP

From: Joe (anonymous_at_discussions.microsoft.com)
Date: 05/27/04 

Date: Thu, 27 May 2004 07:31:02 -0700

I have two applications running on the same server. One is a classic ASP application, and the other a new ASP.NET application. Users currently log in to the classic ASP application by supplying a username and password on a login form. After a configurable (sliding) timeout, users are automatically logged out, and redirected to the login page.

I want to have a single login which gives users seamless access to both the old ASP application and a new ASP.NET application. I.e. once a user logs in, he can navigate between the ASP and ASP.NET pages unless the sliding timeout expires. Once the sliding timeout expires, he should be logged out of both ASP and ASP.NET applications.

Can anyone tell me the best way to achieve this.

So far my thinking is as follows:
- The new ASP.NET application will use Forms authentication, and the login page will be in the ASP.NET application.
- For ASP.NET I just use standard Forms authentication
- When the user attempts to access a page in the old classic ASP application, a VBScript function "IsAuthenticated" is executed. If this returns True, the user is allowed access to the page. If it returns False, the user is redirected to the login page in the new ASP.NET application.

To implement the "IsAuthenticated" function, I need to do the following:
- Access the Forms Authentication cookie: I've tested this and I can do it
- Decrypt the ticket in the Forms Authentication cookie
- Test the Expired property of the ticket

Any tips on how to decrypt the value in the authentication cookie using classic ASP?

Joe

Relevant Pages

  • Re: User.Identity.IsAuthenticated and requireSSL=true
    ... You have to run all pages that rely on authentication under SSL - on every request the authentication cookie is round-tripped and you don't that to be stolen or sniffed from the wire. ... back to http mode, User.Identity.IsAuthenticated becomes false again ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web request with an existing cookie...
    ... My understanding is that it depends on the type of authentication you are ... The CrendentialCache is used to store login credentials for multiple ... can I pass an authentication cookie that all ready exists on my hard drive ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: can you prevent malicious use of browser back button in forms
    ... What I'm trying to ask here is how can you prevent a malicious user making use of the forms authentication cookie that hasn't yet expired due to a timeout? ... >> I have a Web App that uses forms authentication to secure sections. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Forms Authentication with Session State
    ... I have a login page that creates an encrypted ... Authentication Cookie. ... authenticated by matching credentials in SQL Server ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Expire Forms Authentication Ticket on Server Side
    ... The signout method is removing the forms authentication cookie from the ... copy of the cookie and send it in a request to our server and was able ... to gain entry up until the forms authentication ticket times out on its ...
    (microsoft.public.dotnet.framework.aspnet.security)