1

I am really just wondering if this is even possible. So we are in the process of redoing our website from Classic ASP to ASP.NET MVC. However, we are doing it a little bit at a time currently. We are splitting it into three new ASP.NET MVC projects that will each have their own domain. The issue that I am running into is we want to login on one page (which is currently the existing Classic ASP), and then redirect them to the new domain while passing stuff like a SessionID.

I got it working decently by storing information in the DB when they log in then sending it via QueryStrings. The issue is the manager wants me to not use QueryStrings due to possible information (like UserId) being sent there. So he is suggesting sending it via headers. This works by using a GET request and adding the information in the header. I cannot redirect via the GET as far as I know. I don't think redirecting via a POST would work either.

Is there a way to redirect from one domain to another while passing information that does not require QueryStrings? If you need more information let me know.

j5juice
  • 527
  • 3
  • 6
  • 15

2 Answers2

2

You can't directly instruct the user's browser to send a header when it fetches the second website. Basically you're just giving it the address, and it will fetch the page by itself. What may be possible, if both sites have the same top-level domain (i.e. website1.example.com & website2.example.com), which sounds likely, is that you could just use a cookie, stored on the base domain (*.example.com). So the flow would be -

  1. User logs in, you return a response with a Set-Cookie header and a Location header (this is the redirect).
  2. User's browser stores the value(s) you asked it to store in it's cookie store.
  3. User's browser makes a request to the site you redirected to. Because you set the cookie at the base domain level, it will be sent to any *.example.com, basically meaning the second site will get a header (Cookie) with the info from the first site.
  4. In the second site, read the cookie, and do whatever logic you need.

Important to make clear (just because you referenced something that sounded like a security concern) - this is by no means safer than passing the parameter in the redirect itself - it's just a solution for what you asked. Don't use this method to pass information that you don't want exposed.

Relevant -

Share cookie between subdomain and domain

ASP.NET Cookies Overview

Nimrod Dolev
  • 497
  • 3
  • 7
1

There are a few options 1) If you can't use querystrings you could write the values into a form and POST (rather than GET). Put a javascript on it to autopost. So user logs in on classic ASP, it writes the values to a form on next page and then auto submits that form. This still isn't super secure, as the form fields could be read 2) To make more secure you could hash or encrypt the values in the form, if you were going this route you could encrypt all the fields and then pass via the query string

We've had this situation before where main system was classic ASP, and a new part of the system was MVC ASP.NET. We used an encryption component on the ASP side (ASPEncrypt) and built in decryption in ASP.NET to get users to securely transfer between the systems while maintaining track of who was logged in.

Mart
  • 11
  • 1