RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Passing Information Securely Between ASP and ASP.NET

Many classic ASP applications exist side-by-side with newer ASP.NET applications, sometimes leading to a need to transfer or share information between the two. This article shows one method of transferring such information securely.

ou can transfer information between systems using ASP.NET in multiple ways; however, many are cumbersome, complicated, or insecure. For example, many data transfer methods pass information in plain text, which makes the data vulnerable to both interception and misuse. This article centralizes the methods to interact with data used in both ASP and ASP.NET applications. You achieve this by using the same methods of encrypting and data-packaging in ASP.NET as in classic ASP—in other words, by calling .NET code via COM from classic ASP pages.

How ASP and ASP.NET Data-sharing Works
Here are two common ways to transfer data in an ASP/ASP.NET scenario. The first is a system in which servers transfer data based on a key provided by clients. This unique key identifier allows the two servers to contact each other directly and exchange the necessary information. You might see this in a passport-style authentication system. This article, however, uses a second method of transferring data. Instead of passing a unique token through the client, the data itself will be encrypted and transferred via the client to its destination server.

Inside the DataManager DLL
The central part of this application is the DataManager DLL, which manages the setting and encryption of key-value pairs. Select classes and functions contained in the DataManager are also registered for COM interop and are thus accessible from code in classic ASP pages as well.

Inside the DataManager.dll file, the Encryption class contains all the methods needed to encrypt data that will be transferred via the client. Behind the scenes the Encryption class uses a hash table to store key-value pairs added by calling the EncryptValue methods.

   public void EncryptValue(String strKey, 
      String strValue)
      data.Add(strKey, strValue);
      TextWriter tw = new StringWriter();
      MemoryStream ms = new MemoryStream();
      serializer.Serialize(ms, data);
      encryptedData = Encrypt(

Author's Note: This code was written in .NET 2.0; however, you should face no issues in converting it to 1.1, if needed.

Every time you call the EncyrptValue method to add a value, the code adds a new entry to the hash table. The EncryptValue method also computes the hash value using the Encrypt function. The Encrypt function called in the last line takes a string argument and returns an encrypted representation of that string. To improve your data security you could easily alter the code to use a more robust encryption technique involving security certificates.

Also, note that the sample code stores only strings in the hash table; however you can use the same basic method to store a variety of objects. You could even use your own custom classes—but bear in mind that they must be both serializable and registered correctly for COM to work properly.

The Encryption class automatically Base64-encodes all data for transport by the browser when you call the appropriate methods. After the receiving server decodes the data, the class uses the serializer to reconstruct the hash table so it can access the values.

   public void SetEncrypted(string strEncrypted)
      string decrypted;
      encryptedData = strEncrypted;
      // All inputs wil be Base64 encoded
      strEncrypted = 
      // Decrypt data via specified encryption functions
      decrypted = Decrypt(strEncrypted, "KEY");
      data = (Hashtable)serializer.Deserialize(
         new MemoryStream(

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date