Share login between PHP and ASP Classic (VBScript)

0
votes

I'm trying to update/maintain an older web site that was initially written in Classic ASP/VBScript, and later had PHP pages added. I'd like to set it up so that PHP handles the login, but then that logged in state can be shared between PHP and ASP/VBScript. Note that the pages and languages are fairly intermingled -- somebody spending time on the site might come across several different pages in each language, in no particular order.

(Eventually I expect it to be completely rewritten in PHP, but I have to eat this elephant one bite at a time; and for now I'm simple trying to improve security.)

Let's assume I've successfully logged in and validated the user in PHP using something like phpPass. How do I tell the ASP/VBScript page they just pulled up that they're logged in? How can I best do this securely?

(And thank you for any help!)

2
phpsecurityloginvbscriptasp-classic

2 Answers

1
votes

You cannot share sessions across Classic ASP/VBScript and PHP as they create/use them differently. My solution isn't that secure but would work:

  1. Log the user in via 1 of the languages (say PHP)
  2. Pass the initial session variable to a URL and get ASP to look at the querystring and then create another session for ASP there.

That would deal with it...although not that secure!

0
votes

The best answer I've been able to find for this issue was the following. Specific to sharing a login between Classic ASP and ASP.net, but the methodology is exactly the same:

As you probably already know, classic asp and asp.net cannot share the same session state, so you do need to have a mechanism to log from one into the other.

What I would do is: when someone logs in, create a unique GUID that you save in the database for that user. When you jump from one site to the other, pass that GUID into the query string. When you try to auto-log them into the other site, look up that GUID and see if it's attached to anyone. If it is, log them in.

This way you aren't passing anything that a user could guess or decrypt.

Additionally, it's smart to add a timestamp to the database as well; and the GUID should only be valid for a second or two. Log in on the PHP end, then flip over to ASP and check the GUID.

Not totally secure, but appears to be about as secure as I'm going to find.

source: https://stackoverflow.com/a/921575/339440

Edit to add: per comments, also record the user's IP address to the database and compare it on the ASP side. No teleporting allowed!

CORRECTION: In this case "GUID" is a misnomer. What you need here is a random string of characters, not a GUID. A GUID is a semi-random construct with one of a handful of specific formats, and is not applicable here.