locked
How to pass data between 2 apps on different servers RRS feed

  • Question

  • User-779965281 posted

    Hi everyone,

     

    i'm facing a problem with transfering data between two web applicatins on two different servers. For example on page A

    I have a login box with LoginName textbox and Password textbox and Login button. What I am trying to achieve is that when i press Login button I will transfer data from Login and Password textboxes to page B and .net code on page B will try to validate the logging user. I was trying code like this but it won't works

    on page A

     protected void pe_submit_Click(object sender, EventArgs e)
            {
                Session["Login"] = txtlogin.Text;
                Session["Pass"] = txtpassword.Text;
    
                Response.Redirect("http://b/");
            }

    and on page B in Page_Load event

    if(Session["Login"] !=null && Session["Pass"] != null)
    {
    int UsrId = LogUser(Session["Login"].ToString(), Session["Pass"].ToString());
    }

    I was thinking of using Web  Service between these apps, however i am not certain that it will works.

    I would be very helpful for any suggestions, that will help to solve me this problem.

    Best wishes,

    Chevie

    Tuesday, February 23, 2010 10:25 AM

Answers

All replies

  • User45808590 posted

    Hi - if you are using the session with inProc mode. then I think It will not work since both pages are on different Applications and session variables for application one are not available on the second application. 

    To achieve the desired functionality you can probably use the SQL server to store the session data.

    Or you can use some other method like use of query string to transfer data from one application to another but this will not be secure in your scenario as it will expose password in query string.


    Tuesday, February 23, 2010 11:23 AM
  • User-779965281 posted

    I was thinking about hashing parameters in query string, but it's, like you said, not proper sollution.


    What do you mean in storing session data in database? How it would be useful and will help me to solve me problem?

    Wednesday, February 24, 2010 3:13 AM
  • User1732514203 posted

    Following the idea about using a database, you could do the following

    1. Save a record in the database to represent the login (SessionID, Username, Password)
    2. When redirecting to second page, you can send the SessionID in the query string
    3. On the second page you can now retrieve that information from the database using the SessionID

    That would be one solid way of achieving the desired affect

    Hope this helps
    Stuart 

    EDIT:

    Forgot to mention that if a user knew of another session id they could hack the query string, so maybe hash/encrypt the SessionID in the query string

    Wednesday, February 24, 2010 7:58 AM
  • User-1199946673 posted

    Forgot to mention that if a user knew of another session id they could hack the query string, so maybe hash/encrypt the SessionID in the query string
     

    And then you're save? I don't think so....

    http://en.wikipedia.org/wiki/Man-in-the-middle_attack

    Wednesday, February 24, 2010 8:14 AM
  • User1732514203 posted

    I dont see how the attack could be made?

    Page1 (all happens in page1 code)

    1. Gets username/password
    2. encrypts password
    3. Sends username and password directly to the database
    4. Returned id is then encrypted and added to the query string for redirect to Page2

    Page2 (all happens in page2 code)

    1. Gets encrypted id from query string and decrypts it
    2. uses id to get data from the database
    3. can now decrypt the password if needed

    If you intercepted the id you would need to know the encryption key which is never sent outside of page1 and could be hard coded into the web.config of app1 (Page1 application) and app2 (Page2 application).

    Am i missing something?


    Wednesday, February 24, 2010 8:24 AM
  • User-1199946673 posted

    Am i missing something?

    4. Returned id is then encrypted and added to the query string for redirect to Page2
    5. The request is intercepted by the hacker, who sends the encrypted id to page2

    You might as well encrupt the usename and password, the result will be the same. Whatever you do, use SSL

    Wednesday, February 24, 2010 8:40 AM
  • User1732514203 posted

    I see you point, however the hacker would surely need to know the encryption keys to modify the id that is being sent. By sending another encrypted id would not work as when Page2 comes to decrypt the id the encryption keys would not match

    Wednesday, February 24, 2010 8:46 AM
  • User-1199946673 posted

    however the hacker would surely need to know the encryption keys to modify the id that is being sent
     

    ???

    The hacker intercepts YOUR encrypted id, and then he sends that key to page 2, without any modification, because you encrypted it for him already...

    SSL is the way to go, and then you can send the (encrypted) username and password, without the step in between with an id, which adds no more security at all!

    Wednesday, February 24, 2010 8:51 AM
  • User1732514203 posted

    Ok, i see what your saying now. 

    This could be prevented by only allowing access to the same ip address that entered the database record.

    SSL is the preferred route, but its something that you have to buy and therefore some people that are designing personal apps for sites or something may not have the budget to pay for this.

    Wednesday, February 24, 2010 9:11 AM
  • User-1199946673 posted

    This could be prevented by only allowing access to the same ip address that entered the database record
     

    I think you need to do some more reading regarding IP addresses

    SSL is the preferred route, but its something that you have to buy and therefore some people that are designing personal apps for sites or something may not have the budget to pay for this.

    Indeed, and if you don't want to pay for SSL, than you take a potential risk. By the way, there are plenty of (cheap) web hosts packages that include Shared SSL

    Wednesday, February 24, 2010 9:26 AM
  • User1732514203 posted

    Not even my post and i have learnt something new Laughing

    Cheers

    Wednesday, February 24, 2010 9:43 AM
  • User45808590 posted

    Please see if this can help you get some logic.

    http://blogs.msdn.com/toddca/archive/2007/01/25/sharing-asp-net-session-state-across-applications.aspx



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, February 25, 2010 7:00 PM