Assuming that both boxes have access to the same database, you can use some
text, number, or GUID that uniquely identifies the user's session. When the
user is authenticated against your database through Site 1, store this
identifier in the database and return it to the page which will transfer to
Site 2. The hidden form field suggested by Curt is a good way to do it, as
is encoding it in a query string.
Since I'm not sure I've concisely demonstrated my command of the English
language, here's a walk-through example.
1. User visits
www.xyz.com (Site 1) and enters login information.
--> Your script or stored procedure compares login information to the
database.
--> The login info matches, so the script or stored procedure generates the
unique session id 12345678-9012-3456-7890-123456789012
--> The unique id is stored in the database and returned to your ASP script.
2. Your ASP script rolls this unique id into a hidden form field or
hyperlink, such as
<A HREF="
http://www2.xyz.com/transfer.asp?UniqueSessionID=<%=
UniqueSessionID %>">Transfer!</A>
-- or --
<FORM NAME="formTransfer" ACTION="
http://www2.xyz.com/transfer.asp"
METHOD="POST">
<INPUT TYPE="hidden" NAME="UniqueSessionID" VALUE="<%=
UniqueSessionID %>">
<INPUT TYPE="submit" VALUE="Transfer!">
</FORM>
3. The user clicks the link or submits the form, which takes them to
www2.xyz.com (Site 2).
--> The ASP script "transfer.asp" reads
Request.Querystring("UniqueSessionID") [or Request.Form("UniqueSessionID")
--> The ASP script looks for a matching record in the database for an
authenticated user with UniqueSessionID
--> A match is found, and any permissions/credentials/other pertinent
information is loaded from the database (not from cookies or Session
variables)
3. The user browses around Site 2.
4. The user logs out of Site 2 (or the session times out).
--> In your logout script and/or Session_OnEnd event, you include code to
clear out the UniqueSessionID from the database, indicating that the session
is no longer active.
A couple of final thoughts and notes:
- This is not a 100% hackproof solution, but it should work pretty well for
your needs, especially if the only thing you pass between servers is the
UniqueSessionID and the UniqueSessionID expires when the user logs off.
- Although you're certainly free to write extra code to come up with a
unique or semi-unique session id, there's no reason you can't use the
SessionID property for this particular application. You don't need the id
to be unique across days or years, you only need to identify the
authenticated user during the jump between domains.
- For that matter, if the user is not likely to ever go
Site1-->Site2-->Site1, there's really no need to persist the id in the
database after the initial transfer. You could delete it immediately and
increase security (because it would prevent anyone else from using that id
to connect to Site 2).
That's all I've got for now, though it can certainly be refined. Hope it
helps!
--Boris
Curt_C said:
Dont believe so.
Best I could suggest is pass it as a hidden form field or in a DB
--
----------------------------------------------------------
Curt Christianson (Software_AT_Darkfalz.Com)
Owner/Lead Designer, DF-Software
http://www.Darkfalz.com
keep
