Forums
This topic is locked
Transferring to insecure server after login?
Posted 27 Feb 2002 00:35:49
1
has voted
27 Feb 2002 00:35:49 Hank Tan-Tenn posted:
Hi,For logging in I use a server with SSL. Upon authentication I'd like to redirect to unencrypted contents *on another server*. Since the Ultradev login uses sessions to maintain state, redirection seems to hit a wall.
Suggestions appreciated!
<edit>BTW, I use ASP/VBS)</edit>
Edited by - akc on 27 Feb 2002 00:41:42
Replies
Replied 27 Feb 2002 14:34:42
27 Feb 2002 14:34:42 Dennis van Galen replied:
This is unwise.
You have your visitor login on server nr.1 through a SSL session, then you redirect him to server nr.2, effectively logging him OUT of server nr.1 which requires a NEED to login again on server nr.2 which redirects the user back to server nr.1 where the SSL routine is which sends user back to server nr.2 where he again has to login...
Do you get the idea ?
The problem is that you create the session on server nr.1 which cannot be used on server nr.2 because it does not exist on that server.
I think you want to consider something like this:
User logs in on server nr.1 through the SSL, the loggedin.asp page creates a COOKIE on the visitors compy-thingy which can be read on server nr.2 and if it exists the user can surf to his/her hearts content and if it is not present then the server needs to redirect the user to server nr.1 to create the cookie so the user can browse, advisable would be to set the cookie to expire after 1 day, so the user has to go through the SSL session everytime he/she wants to surf the webpages.
Did that make any sense ?
if yes then here's a tutorial to create a cookie based login system:
www.udzone.com/showDetail.asp?TypeId=2&NewsId=1163
here's another one:
www.spdesign.dk/ultradev.asp
Goodluck
With kind regards,
Dennis van Galen
Webmaster KPN Nederland
Financial and Information Services
You have your visitor login on server nr.1 through a SSL session, then you redirect him to server nr.2, effectively logging him OUT of server nr.1 which requires a NEED to login again on server nr.2 which redirects the user back to server nr.1 where the SSL routine is which sends user back to server nr.2 where he again has to login...
Do you get the idea ?
The problem is that you create the session on server nr.1 which cannot be used on server nr.2 because it does not exist on that server.
I think you want to consider something like this:
User logs in on server nr.1 through the SSL, the loggedin.asp page creates a COOKIE on the visitors compy-thingy which can be read on server nr.2 and if it exists the user can surf to his/her hearts content and if it is not present then the server needs to redirect the user to server nr.1 to create the cookie so the user can browse, advisable would be to set the cookie to expire after 1 day, so the user has to go through the SSL session everytime he/she wants to surf the webpages.
Did that make any sense ?
if yes then here's a tutorial to create a cookie based login system:
www.udzone.com/showDetail.asp?TypeId=2&NewsId=1163
here's another one:
www.spdesign.dk/ultradev.asp
Goodluck
With kind regards,
Dennis van Galen
Webmaster KPN Nederland
Financial and Information Services
Replied 01 Mar 2002 16:58:40
01 Mar 2002 16:58:40 Hank Tan-Tenn replied:
Thanks for the cookie suggestion. In essence: make state independent of server by keeping it on the client machine. Got it!
Replied 01 Mar 2002 23:39:22
01 Mar 2002 23:39:22 Dennis van Galen replied:
to put it short, yes that's what i meant. Unless you're willing to spend a vast amount of money...but i'm imagining that the SSL allready costs you an arm and possible a leg too.
You could attempt to use the IIS settings to redirect to server nr.2 after authentication succeeded and it arrived in a folder which you told IIS to redirect to url, but you'd still have the problem of no session on server 2 making it pointless without something client side to inform server 2 that you passed the SSL and are allowed to surf.
Dennis
You could attempt to use the IIS settings to redirect to server nr.2 after authentication succeeded and it arrived in a folder which you told IIS to redirect to url, but you'd still have the problem of no session on server 2 making it pointless without something client side to inform server 2 that you passed the SSL and are allowed to surf.
Dennis