Well, it turns out that the vendor wanted to simply pass the login info in the querystring, figuring it's safe enough since you need to be logged in prior anyway.
When a user logs in, all their user info is stored into session, and on the next page after a successful login(inside_home.asp), there is a link calling a javascript function to post to the vendor.
i.e.
Code:
<a href='http://www.securedata-trans5.com/ap/ap_admin_v2/admin_v2.php' onClick='JavaScript:AppointmentPlusLogin();return false;' target=_top>blah blah</a>
the javascript function is simply
Code:
function AppointmentPlusLogin() {
window.location.href = document.form1.submit();
VBScript
Code:
<%
Set dc = Server.CreateObject("ADODB.Connection")
dc.ConnectionTimeout = Session("dc_ConnectionTimeout")
dc.CommandTimeout = Session("dc_CommandTimeout")
dc.Open Session("dc_ConnectionString"), Session("dc_RuntimeUserName"), Session("dc_RuntimePassword")
Set cmdTemp = Server.CreateObject("ADODB.Command")
Set dcUser = Server.CreateObject("ADODB.Recordset")
cmdTemp.CommandText = "SELECT * FROM login LEFT JOIN person ON login.login_id = person.login_id WHERE (person.person_id = " & Session("person_id") & ") AND person.hide_record <> 1"
cmdTemp.CommandType = 1
Set cmdTemp.ActiveConnection = dc
dcUser.Open cmdTemp, , 0, 1
dim pw
pw = dcUser("last_name")
dim pw2
pw2 = trim(left(pw,3))
dcUser.Close
Set cmdTemp = Nothing
Set dcUser = Nothing
dc.Close
Set dc = Nothing
%>
And here's the form telling the javascript function AppointmentPlusLogin what to do.
Code:
<form name="form1" id="form1" method="post" action="http://www.vendor.com/admin_v2.php?action=log_in&login=<%= pw %>&password=<%= pw2 & Session("login_name") %>">
</form>
Please note that I don't recommend passing login info through the querystring if it can be avoided.
Peter Hansen
Software Developer
AtHomeNet, Inc.
peterh@athomenet.com