I have about 100 websites coded in ASP classic. Each website accepts orders and stores them in database. However, the payment of these orders must be made on another website, also coded in ASP classic. All websites are owned by same company, hosted on same IIS server and use the same SQL Server database.
Now, the user registers by entering some personal information and logs in to one of these website (e.g. website-for-newjersey.com) and places an order. He is then redirected to the payments website (payments.master-website.com on https) where some of his personal information (address, city, state for shipping; name for credit card holders name; etc) appears on the payment form. Credit card specific information is entered on that page.
Because of the sensitivity of information shown on that page, the user must login to the payment website before he/she can view the pre-filled payment form. And I do not want the user to login twice (once on each website). Is there a reliable way of checking if the user is logged in to the referring website using classic ASP.
Long story short
- On website B I need to check if the visitor is logged into website A
- On website B I need the ID session variable from website A
- Both websites use same database server
- I need clear instructions
- PHP or ASP.NET solution is acceptable if it is generic/portable
What you asked is called single sign on (SSO) and can be implemented in few ways. There are many topics on this matter, example: What's your favorite cross domain cookie sharing approach? but they all vary due to individual requirements.
In your case you have different domains (so you cannot share cookies across them), you mix http and https (which might be a problem) and you have many applications so you won't make many changes.
So I would recommend to consider Robert's suggestion:
- When user is authenticated for the first time (website A) you save a GUID in the database. Add a new table for sessions with columns for GUID, userid, ip and timestamp or save it as a part of orders data. Store GUID in the session object.
- On the page that had a link to the payment site set it in the query string or as a hidden variable (if it's a form).
- On the other domain (website B) check for the GUID and then look it up in the database. If it wasn't too old then authenticate the user, otherwise redirect him to a login page.
If you cannot change a link to the payment site then you could try to skip the step 2 and validate the user by his ip but this might be too risky.
From the calling site you could create a guid or some other randomly generated value. Store it on the users record (set to expire in a specified time period) in the database, encrypt it and pass it over SSL to the payment site where it is decrypted and then compared to the database. If they match then the user is logged in, if it doesn't match then they are asked to log in.
Another way although I'm not sure it can be done with different domain names is using sessions. Since they are all on the same machine it might be possible but I'm not 100% sure on that one.
Pass-port based authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. For more information, see the following Microsoft Web site:
Passport Authentication Provider
If you can't implement a Single Sign-On at your infrastructure level, you should use Identity Federation which allows applications of different trusted party to share authentication through claims.
This can be done using Security Assertion Markup Language (SAML) directly or with products/standards like :
- SimpleSAMLphp
- Active Directory Federation Services
Also you can take a look at OAuth or OpenID which are more shared authentication schemes than SSO or identity federation.
