Avatar of Attack_Trax
Attack_Trax asked on

Automating classic ASP cookie based authentication

I have a handful of classic ASP pages protected by basic ASP authentication using cookies and a database of username/passwords.

I want to be able to display one of the protected pages in a browser window which is opened using a URL from standard windows application - without the user needing to explicitly log on.

I guess I'm looking for a way of passing a Username/password from the application to the authenticate.asp script without the username and password being visible at any point?

Thanks.
ASP

Avatar of undefined
Last Comment
Attack_Trax

8/22/2022 - Mon
ThinkPaper

Take a look at using session variables.
http://www.w3schools.com/ASP/asp_sessions.asp
You can store the username or userID (probably not pw) with sessions and not have to 'pass' it to each page.
ASKER
Attack_Trax

Thanks for your post.

I am currently using session variables to store the UserID once they have logged on.

What I'm looking for is a way of authenticating a user without them having to enter their Username and Password because if they have been sent to the page from the desktop application they don't need to be authenticated...
daveamour

Is this on an intranet or is this a public facing website?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Attack_Trax

Public facing... but only accessed by a small number of users.

The authentication is to prevent casual browsers of the website accessing certain documents, and to track usage.
daveamour

Are you in control of the asp pages?
ASKER
Attack_Trax

I have full access to the ASP pages/source and can modify them if necessary - if that's what you mean by control?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ThinkPaper

what is this 'application' that you are using to send the user to the page?

If it's simply another page, then you could do a check for the 'referred page' using the session variable HTTP_REFERER
http://www.w3schools.com/asp/coll_servervariables.asp
daveamour

How are you displaying the page in your desktop application - in an embedded browser control?

ThinkPaper

Another thing - if the username is based of a windows account, you can also use the LOGON_USER session variable to grab the windows user account name and automatically use that as validation.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
daveamour

ThinkPaper - just a small thing but HTTP_REFERER and LOGON_USER are ServerVariabels, not Session.
ASKER
Attack_Trax

The application is a Delphi win32 executable, so I'm guessing HTTP_REFERER will be blank?
daveamour

Attack_Trax - how important is security, are you using SSL or is this really just to deter casual browsers?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
daveamour

And it has an embdedded browser control yes?
ASKER
Attack_Trax

daveamour: The page is displayed by opening a window using the default browser.

ThinkPaper: Usernames are unfortunately not based on windows account names.

Also I don't have any control of the desktop application source/methods...
daveamour

Ok and how important is security?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
Attack_Trax

There is no SSL and nothing confidential is protected by the authentication, just some documentation and a rarely used forum.
ASKER CERTIFIED SOLUTION
daveamour

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Attack_Trax

Yeah that's pretty much how these pages work.

Thanks  - your idea is a possible solution. Each used of the Application does have separate credentials, although this could probably be changed for this scenario.

I was also considering creating an additional ASP page which is not linked to from anywhere on the site and reference only when the app opens the URL. This page could be used to effectively by-pass the authentication before re-directing the the relevant page.

Which do you think is the most secure of these two options? (or should that read 'the least insecure'!)
daveamour

Thye are both pretty insecure but there are of course levels and degrees of security.

For example how do people normally logon to your ASP pages when they are doing so normally.  Lets say they logon as I described then the only difference between that method and my method is that your logon used the post form method and mine used the get method.  Unless you use SSL then both of these are transmitting usernames and passwords across the internet which are unencrypted.  If security is really important you should look at SSL.

Hope that makes sense.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Attack_Trax

Thanks - I opted for the method you suggested as the low security is not an issue and there is no prospect of using a more secure method of authentication.