1

I've created 2 websites.

Both website have their own database, but there is a user table in both websites that has exactly the same values. What I want to do is make something that can take a user who logs in to website one and automatically log the same user in to website two as well.

Honesty I don't even know how to do it. I've tried to use extra page and login with session and javascript trick but most of the time its not working... especially in IE.

By the way i'm using classic ASP and SQL 2008.

Any ideas?

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
Jay
  • 1,384
  • 1
  • 17
  • 30

4 Answers4

2

If you are using classic asp, I assume you are manually dropping an auth cookie that you check on each request?

If so just add this checking code to both sites. You may need to rip it out and put it in a class library that is accessible by both sites.

Juan Ayala
  • 3,388
  • 2
  • 19
  • 24
  • Thanks, but how could I read single cookie from both website? – Jay Aug 22 '11 at 19:41
  • I don't think its impossible. Just convoluted. Check [this](http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach) or [this](http://general-tips.assistprogramming.com/cross-domain-cookie-one-tricky-question.html) – Juan Ayala Aug 23 '11 at 02:07
1

I am assuming they are on different domains.

On website1 you have a hidden form (possibly in an iframe) with an action pointed at the website2 login handler. If you are not the administrator of website2 then you may run into problems.

Related: http://en.wikipedia.org/wiki/Cross-site_request_forgery

diolemo
  • 2,621
  • 2
  • 21
  • 28
0

What you're talking about is called Single Sign-On, and it's a well known problem. There are many ways to do it, but the simplest is to set a cookie when a user logs into either site, and to look for that cookie when a user visits either site. If the cookie is present, examine it to find the login name and any other details.

This method isn't ideal. You have to do a lot of extra work to secure (otherwise anybody could just write their own cookie and log in as whomever they want) and it won't work cross-domain (are both sites on the same domain?)

Quinn
  • 71
  • 4
  • Actually no, each website has its own domain and as you explained creating cookie with all those information is not a good idea. – Jay Aug 22 '11 at 19:52
  • That's why it's the simplest method, it's not very good. If they're on different domains, you'll have to do some extra work to share their logins. There are many ways to do this, ranging from pre-packaged software (e.g. CAS) to writing your own SSO layer (e.g. when a user logs into one site, make a database query or web service call to the other site to make the user also logged in there). – Quinn Aug 22 '11 at 20:06
0

Presuming the credentials are exactly the same, couldn't you use site one's credentials to log into to site two, and visa versa?

John
  • 701
  • 6
  • 10