Posted by SuperRobot5000 on 10/23/06 22:10

Thanks for the advice guys.

The only issue with encrypting a the URL is that I'll need routines in
both systems that match, but I dont know PHP well enough to be able to
do this. :o(

I have made the 2 systems on the same domain now, so cookies are an
option. Can anyone give any tips on how I might achieve this between
the ASP.NET and PHP apps?

SR5k

Jerry Stuckle wrote:
> SuperRobot5000 wrote:
> > Hi All,
> >
> > Ok, I know that the title of this question might seem strange... but i
> > need to be able to authenticate from a .NET website (which a user would
> > be logged on) to a PHP website (with the same user details).
> >
> > Does anyone know if there is a way to do this? I think the only way is
> > to use an encrypted URL... but how would I encrypt the URL from the
> > ASP.NET app into a format that the PHP app can decrypt?
> >
> > would a cookie also work? can you use cookies between
> > applications/sites?
> >
> > Please help. :o(
> >
>
> Cookies don't work cross-domain - to allow them to do so would be a huge
> security risk.
>
> It really doesn't make a lot of difference what languages the sites are
> written in - your .asp site will only "see" the html output (and
> vice-versa, if necessary).
>
> One way would be to encrypt the userid and password and have it passed
> to a special login page (assuming you have control of the other site) as
> GET parameters. When I need encryption (as opposed to hashing which is
> not reversible), either use the libmcrypt routines or my own. This
> isn't real secure, though, unless you use ssl. And it doesn't work if
> you use the authentication provided by the webserver (as opposed to
> programmer authentication).
>
> But any other way is not easy. You can't do the authentication for the
> browser, and you can't instruct the browser to do the authentication on
> the new site for you. This means you would have to proxy the second
> site in the first, and handle the authentication in your .NET code. And
> how it's done would be dependent on how the authentication is done on
> the remote site.
>
>
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================

[Back to original message]