Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


Passing Information Securely Between ASP and ASP.NET : Page 2

Many classic ASP applications exist side-by-side with newer ASP.NET applications, sometimes leading to a need to transfer or share information between the two. This article shows one method of transferring such information securely.




Application Security Testing: An Integral Part of DevOps

Registering DLL's for Use by COM
This solution requires you to be able to access the .NET code in the DataManager dll from ASP. To do that, you must hook up the primary encryption class for COM so that the ASP page can create an instance of it. You won't call the encryption methods directly from ASP code; instead, you'll create an interface that contains all the methods needed by the ASP page, and call those via COM automation.

/// <summary> /// Used for com interop interface /// </summary> [Guid("297AE33F-3EEF-4528-99EA-9C9866DC863C")] [InterfaceType(ComInterfaceType.InterfaceIsIDispatch)] public interface IDotNetInterface { String GetValue(string strKey); void EncryptValue(String strKey, String strValue); string GetEncrypted(); void SetEncrypted(string strEncrypted); } /// <summary> /// Used for encryption functions and algorithims /// </summary> [Guid("155BEB46-9B24-4eca-97DA-3B68BCAAE710")] [ClassInterface(ClassInterfaceType.None)] [ProgId("DataManager.Encryption")] public class Encryption : IDotNetInterface { ... }

The preceding code uses attributes to attach a GUID and a class interface to each object. Note that the code defines the interface type as COMInterfaceType.InterfaceIsIDispatch, which will allow the ASP page to access the interface functions via COM.

After assembling the framework you need to register the DLL with the operating system, by adding the assembly to the GAC. To do this, open Windows Explorer and navigate to the Assembly folder in the Windows directory. After placing the assembly in the GAC you can use the regasm.exe tool to register the classes contained in the DLL. The regasm tool is installed with Microsoft Visual Studio; you can find it in the current version of the framework folder in your primary Windows install directory.

Encrypting and Decrypting Data
After building and registering the DataManager.dll for COM, you can create the pages that package and transfer the data. The example given in the downloadable code uses an ASP.NET (.aspx) page to transfer a keyed piece of data to a classic ASP (.asp) page and vice versa. The ASP page creates an instance of the Encryption class and uses that to decode the data and query the value that was passed in. The ASP page also provides a text box so you can submit data to be passed back to the .aspx page for decoding.

Here's the code for the ASP page:

dim serverSession 'Transfer to asp.net if Request.Form("transfer") <> "" then set serverSession = server.CreateObject( "DataManager.Encryption") call serverSession.EncryptValue("data", request.Form("transfer")) strEncrypted = serverSession.GetEncrypted Response.Redirect("Default.aspx?i=" & strEncrypted) end if 'Transfer from asp.net if Request.QueryString("i") <> "" then ' Create the .NET object (it must be in the GAC ' or this will fail). ' Also object must be registered using regasm ' found in the Framework folder set serverSession = server.CreateObject( "DataManager.Encryption") call serverSession.SetEncrypted( request.querystring("i")) end if

In ASP.NET, the page code is:

protected void Page_Load(object sender, EventArgs e) { if (!IsPostBack) { if (Request.QueryString["i"] == null) { lblTransfer.Visible = false; } else { Encryption enc = new Encryption(); enc.SetEncrypted(Request.QueryString["i"]); lblTransfer.Text = "Passed in from ASP: " + enc.GetValue("data"); } } } protected void btnTransfer_Click(object sender, EventArgs e) { Encryption enc = new Encryption(); string redirectPath; enc.EncryptValue("data", txtTransferValue.Text); redirectPath = "http://localhost/DataLink/ASPTest.asp?i=" + enc.GetEncrypted(); if (redirectPath.Length < 2083) Response.Redirect(redirectPath); else throw new Exception("URL has exceeded the " + "maximum allowable URL length"); }

The two methods shown above build a URL that passes the encrypted data using the variable i. Bear in mind that if the length of the data (plus the length of the URL itself) exceeds the maximum allowable length of a URL it will be truncated. The preceding code throws an exception if the URL being sent to the client exceeds 2083 characters, which is the maximum length of a GET request in Internet Explorer (other browsers may differ). In other words, this method works well for passing relatively small values. If the data you are encrypting is too long for a URL, you will instead need to use a combination of forms and JavaScript to pass the information from the source to the destination page as shown below.

<html> <head> <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1"> <script> function letsgo() { Form1.submit(); } </script> </head> <body onload="letsgo();"> <form action="Default.aspx" method="post" ID="Form1" > <INPUT type="hidden" ID="Hidden1" NAME="i" value="<%= strEncrypted %>"> </form> </body> </html>

By passing the information using the form-based submission mechanism shown above, you aren't restricted to the maximum size of a URL string. You can easily modify the downloadable sample code for this article to retrieve values from the form collection rather than from the QueryString.

If you combine all the techniques discussed here, you can pass information easily between separate applications. The supplied sample code transfers data only between pages on the same site. However, by changing the destination URL you can pass data between separate sites and/or separate servers, using any combination of ASP.NET and ASP pages.

The data transfer method chosen for this example uses the client's browser to pass the information between sites, creating an easy and relatively secure method of transfer. While it does make the client process more information, it also means that you can pass information between two sites without having to set up a custom server-to-server communication mechanism.

Bryan Roberts is a consultant for Oakwood Systems Group in St. Louis, MO. He focuses mainly on Microsoft technologies and specializes in developing business application in .NET.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date