Passing user from unsecure to secure domain in asp.net

  • Thread starter Thread starter Stephen Bartholomew
  • Start date Start date
S

Stephen Bartholomew

Hi All,

Firstly, apologies to anyone that notices the cross-post: i also
posted this in microsoft.public.dotnet.general earlier this week.

I have an ecommerce site that resides mainly on an unsecure server for
browsing the catalogue and only passes the user to a secure area when
its time checkout. The secure domain however is not located on the
same URL as the unsecure site - it is hosted on a virtual directory of
the ISP's secure domain.

The way i would have traditionally passed the user across to the
secure domain is by providing a POST form containing the users id as
well as a db stored, transfer string for security. The secure domain
application would then pick up the form values, verify the transfer
string and set up a new session on the secure domain.

However you cannot post away from a webform, as is the asp.net way.

Most of the advice when it comes to posting away from a web form is
that you shouldn't have to post away from a form, but i dont see
anyway around this.

I'm sure that i'm just not thinking about this in the right way and
there
is probably a simple answer - asp.net hasn't let me down yet!

I'd really appreciate any advice on this subject,

Thanks in advance,

Steve
 
Generally, most of the time you don't need to post anyplace else, each page
can handle its own data. However, this isn't a law.

In your situation it seems reasonable that you would want to post your data
to the secure site.
 
Thanks for your responses.

Joe: I see what you're saying about multiple forms and the way you
mention is the technique i have used before. However as with most
things there are always multiple ways of doing things and i thought
that passing hidden data across servers/domains would have been
considered when developing asp.net.

I have, in the past, applied old techniques from my php days when
developing an application in asp.net, only to find out that there was
a much neater way of doing it.

I know it makes sense to just have client side forms outside of the
server-side form but you get into problems when:
o You have a form that, for display purposes, will fall inside the
server-side form
o You have a form that also contains a server side event controller

I'm sure there is a hack for getting around this; i found that
sticking a blank form (<form></form>) before the actual form will
enable following forms to post away from the page even if they are
inside the server-side form - that is of course just a tacky
work-around, not a solution.

Steve
 
Back
Top