在PHP和ASP Classic(VBScript)之间共享登录 [英] Share login between PHP and ASP Classic (VBScript)

问题描述

我正在尝试更新/维护一个较旧的网站，该网站最初是用Classic ASP/VBScript编写的，后来又添加了PHP页面.我想对其进行设置，以便PHP处理登录，但是随后可以在PHP和ASP/VBScript之间共享该登录状态.请注意，页面和语言是完全混杂在一起的，有人花时间在网站上可能会遇到每种语言的几种不同页面，而没有特定顺序.

I'm trying to update/maintain an older web site that was initially written in Classic ASP/VBScript, and later had PHP pages added. I'd like to set it up so that PHP handles the login, but then that logged in state can be shared between PHP and ASP/VBScript. Note that the pages and languages are fairly intermingled -- somebody spending time on the site might come across several different pages in each language, in no particular order.

(最终，我希望它可以完全用PHP重写，但是我不得不一次吃掉这头大象；现在，我很简单地尝试提高安全性.)

(Eventually I expect it to be completely rewritten in PHP, but I have to eat this elephant one bite at a time; and for now I'm simple trying to improve security.)

让我们假设我已经成功登录并使用phpPass之类的东西在PHP中验证了用户.我该如何告诉ASP/VBScript页面他们刚刚登录?我怎样才能最好地安全地做到这一点?

Let's assume I've successfully logged in and validated the user in PHP using something like phpPass. How do I tell the ASP/VBScript page they just pulled up that they're logged in? How can I best do this securely?

(感谢您的帮助！)

推荐答案

对于这个问题，我能找到的最佳答案如下.特定于在Classic ASP和ASP.net之间共享登录名，但是方法完全相同:

The best answer I've been able to find for this issue was the following. Specific to sharing a login between Classic ASP and ASP.net, but the methodology is exactly the same:

您可能已经知道，经典的asp和asp.net无法共享 相同的会话状态，因此您确实需要一种机制来记录一个会话 进入另一个.

As you probably already know, classic asp and asp.net cannot share the same session state, so you do need to have a mechanism to log from one into the other.

我要做的是:当某人登录时，创建一个唯一的GUID 您将为该用户保存在数据库中.当您从一个站点跳到 另一个，将该GUID传递到查询字符串中.当您尝试 自动将它们登录到另一个站点，查找该GUID，看看是否 依附于任何人.如果是，请登录.

What I would do is: when someone logs in, create a unique GUID that you save in the database for that user. When you jump from one site to the other, pass that GUID into the query string. When you try to auto-log them into the other site, look up that GUID and see if it's attached to anyone. If it is, log them in.

这样，您就不会传递用户可能猜到的任何内容或 解密.

This way you aren't passing anything that a user could guess or decrypt.

此外，将时间戳添加到数据库也是很明智的.并且GUID应该只有效一两秒钟.登录PHP端，然后切换到ASP并检查GUID.

Additionally, it's smart to add a timestamp to the database as well; and the GUID should only be valid for a second or two. Log in on the PHP end, then flip over to ASP and check the GUID.

并不完全安全，但似乎和我将要找到的一样安全.

Not totally secure, but appears to be about as secure as I'm going to find.

来源: https://stackoverflow.com/a/921575/339440

编辑添加:根据注释，还将用户的IP地址记录到数据库中，并在ASP端进行比较.不允许传送！

Edit to add: per comments, also record the user's IP address to the database and compare it on the ASP side. No teleporting allowed!

更正:在这种情况下，"GUID"是错误的称呼.您需要的是一个随机的字符串，而不是GUID. GUID是一种半随机构造，具有几种特定格式中的一种，在此处不适用.

CORRECTION: In this case "GUID" is a misnomer. What you need here is a random string of characters, not a GUID. A GUID is a semi-random construct with one of a handful of specific formats, and is not applicable here.

这篇关于在PHP和ASP Classic(VBScript)之间共享登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！