Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / ColdFusion / Advanced Techniques / November 2004


Tip: Looking for answers? Try searching our database.

Cross technology access question

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
leontova - 29 Nov 2004 16:21 GMT
Hi all. I'm building an extranet that has its own authentication and
authorization modules and we have purchased a web app that is ASP based. I want
to control access to the ASP app without allowing customers to go through the
URL and bypassing the front end. I don't think Application.cfm has any effect
on the VBscript world and of course they have their Default.asp. Their app can
check for the existence of a session var and if it is not there-kick the person
out. The ASP app could look for a particular URL string(and data) and I can
ceritainly pass a URL string to the ASP app, thereby triggereing the session
var to be set. But if anyone figured out the URL var and data they could bypass
the front end. I could encrypt the URL in CF but how would I decrypt it in
VBScript? I haven't found anything in MS Technet that helps with decryption.  
Should I even be thinking of URLS? Are there other options? Domain and
directory access?  Thanks for your help.
Reply to this Message
philh - 29 Nov 2004 17:42 GMT
Hmm.  'Extranet', I take it, means that your users are not logged into the
domain or a domain that the Web server trusts.  ASP applications, by dint of
their being Microsoft-based, usually rely on OS-based authentication for
security.  If the user doesn't have rights to the resource, they'll be
challenged to log in.  If they're not logged into the domain or one that's
trusted, likewise.  You need an ASP template that sets your session
authentication variable for you. In order to manage anonymous access to these
templates (since the user is not authenticated),  make global.asa a form action
that accepts input only from a Cold Fusion template that passes the requisite
information, e.g. user ID and whatever other info the ASP app needs.  Put a
link to that template in your CF app.  Roughly, the logic in global.asa is  
Does the session var exist? Yes - on to the next template No - Do the form
values exist and is the requesting template my Cold Fusion page? Yes - set the
session var and move on No - sayonara  Caveat:  If this is in fact an ASP.NET
application.  You're hosed. ASP.NET templates accept input only from other
ASP.NET templates.  Good luck.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.