|
|
 |
| ASP.NET 1.0 and 1.1 Professional For advanced ASP.NET 1.x coders. Beginning-level questions will be redirected to other forums. NOT for "classic" ASP 3 or the newer ASP.NET 2.0 and 3.5 |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the ASP.NET 1.0 and 1.1 Professional section of the Wrox p2p Programmer to Programmer discussion community. This is a community of more than 40,000 computer programmers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining our free Wrox p2p community you can post your own programming questions and respond to other programmers’ questions. Registered users also don't have to see the ads that are displayed to guests. Registration is fast, simple and absolutely free so please, join today!
Join today and post to win prizes! Post more to increase your chances of being Wrox’s top poster of the month.
|
 |
April 10th, 2006, 11:58 PM
|
|
Authorized User
|
|
Join Date: Apr 2006
Location: Dalian, LiaoNing, China.
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Cross-site security problem!
There are two projects, for example, project_A and project_B. The project on the identical machine, the database may not place on a machine.Most of the pages in both project_A and project_B need authentications and authorizations. For some reasons, I now need through the project_A to connect the pages contained in project_B.
How the users belong to the project_A can be recognized by project_B.How can I make the process safe?
User_A -------------> User???
----------------- Request ----------------
Project_A ----------> Project_B
----------------- ----------------
I have made some essential methods.
1.Cookie and Session
Session can't work in the cross-site, Cookie may use, but has the request regarding the connection string of character(URL).
2.Session state
I didn't understand it very clearly.I only knew session state has special state the service managementamd, and the projects need to work with the database in the same computer.
3.Extended Forms Authentication and SSL
I thought this is the quite good method.Different projects use the same encrypted machineconfig in the file named web.config, and the key will be saved in the register.
Code:
<authentication mode="Forms"/>
<machineKey validationKey="BC96635A96D0561BA5E7CEECDC29A3166ED0B8EBF7564
95653B0C6C1389E081A4BDE0FAD53F9933E3AA3044A3C2E13985736D7C18B69DF21A
EAB" decryptionKey="8A424F4F4EE4D357AED944665C2CBEB47D64E448989628AC" validation="SHA1"/>
4.I write common security module in both projects.
Thank you!
Cheers,
Zhangguoyi
No pains, no gains.
__________________
:)¡¶
¡¶¡¶ No pains, no gains.
¡¶¡¶¡¶
|
April 11th, 2006, 12:27 AM
|
|
Authorized User
|
|
Join Date: Apr 2006
Location: Dalian, LiaoNing, China.
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
I also want to use ACT to balance the capability and security.
:)¡¶
¡¶¡¶ No pains, no gains.
¡¶¡¶¡¶
|
April 11th, 2006, 03:55 AM
|
|
Authorized User
|
|
Join Date: Apr 2006
Location: Dalian, LiaoNing, China.
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
I save user identities in the Session.
From Project_A I use a URL to connect a special page in Project_B.
The function of this special page is that I decrypt the encrypted user identity and create the very session.
If the session has been created successfully, the page will redirect to the request page.
:)¡¶
¡¶¡¶ No pains, no gains.
¡¶¡¶¡¶
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
