Hello,

I'm developing a site with an ASP.NET login, redirecting to custom flash pages for each user. The login database is handled by a third party solution, and returns an account ID, which is the relevant piece of information that needs to be passed to the flash movie on a separate webpage. Pseudocode for the login page is as follows...

int iAccountID = AuthenticateUser(username, password);
// Save the account ID somehow for the page to use
// The address that the user is forwarded to is dependant upon who they are
switch(iAccountID)
{
.....
case 1:
Response.Redirect("custompage.com");
break;
.....
}

The pages that the logged in users are sent to all have essentially the same Flash Movie on them, with data custom to that user. The problem is that in order to operate properly, the movies need the account ID given by the authentication method. Due to security concerns, I can't use a query string, and it has to be secure.

If anyone has any ideas/suggestions/questions about this, please don't hesitate. Thanks in advance.

- Alex

Use Sessions to pass the info. They're relatively safe for passing info like you stated back and forth on pages.

Not sure what server-side language you're using, but if PHP, it'd be as simple as:
$_SESSION['acctID'] = $iAccountID;
Then the next page with the flash movie just retrieves the value from $_SESSION['acctID']. Of course, in between [' and '] can be whatever you want to call it.

-Shane

Shane-

Thanks for the suggestion. One possible problem is that the Flash movies were done prior to the move towards ASP.NET and thus are not part of the web application I'm developing. If this method makes it a requirement that the movies become part of the application, then so be it, but it would be preferable if that weren't the case, as they are still under development by another member of the team. I'm not too familiar with sessions, so I don't know how far they persist. Is it governed by the browser more than which sites you visit?

Also, as a note, I'm using C# for the code behind my pages.

Thanks.

- Alex

You said you're use ASP.NET and then i state that I don't know what server-side language you're using. Wow. Sometimes I wonder.

Anyway, sessions persist on the server (in a specified folder on the server). But this is not the solution you're looking for since the ASP.NET framework is not set up on your custom pages.

What you can instead do is store a cookie with their account ID on their computer when they logon and then when they get redirected to the new custompage, use whatever code on the custom page (you mentioned C#) to grab the cookie's value and pass it to the movie. I really don't know anything about Flash (or C# unfortunately), so I'm not sure how this passing is done.

-Shane

Shane -

The cookie idea sounds like the way to go, but how secure is it? Is there a way to put some encryption on it or something? It doesn't seem like storing data that needs to be secure on a fijle local to the user is the best option.

Actually, thinking about this some, it wouldn't be too much work to set up the custom pages for ASP.NET to enable the session approach, would it? I do have access to them, and would be able to do this. Am I incorrect in saying that it's mainly the *.aspx extension and the first line (which specifies the language and codefile and such) that designates it as an ASP.NET file, so that's all that would need to be added, or are there other tags that need to be added? By the way, this is my first ASP.NET project, so forgive any questions that perhaps I ought to know the answer to.

- Alex

Alex, if security is a big issue with this account id, then cookies probably isn't the best method.

Sessions are definitely a bit more secure since the info stays with the server, but session stealing can be done, although a bit difficult. If security is that big of an issue, transferring via SSL is the best method, although it costs a bit of money to get a SSL certificate and set that type of access up.

To be honest, I think Sessions would work fine in your case, but then again, i don't know your details that well and I'm probably not the best person to consult security with. I only know what I've read and don't actually have firsthand experience with it. Others on these forums should definitely know though.

Anyway, if you go the Sessions route, it shouldn't be hard at all to set up. The only thing you need to have set up in order for ASP.NET to work is the files need to have .aspx extensions on them and your server must support ASP.NET. If those cases exist, then you're set. You could take a regular html page, replace the .html or .htm extension with .aspx, and it should run perfectly normal on your server.

Then, all it really takes is knowing the commands (in C# since that is your language of choice for ASP.NET) to retrieve the session that has stored the account id (which has been orginally stored in session when you queried the database for the account id based on the login before redirecting).

Remember, the custom pages must be located on the same server as your login page for them to gain access to the session.

If you need any kind of touch up in ASP.NET (since it's your first project), look over W3School's tutorial (http://www.w3schools.com/aspnet/default.asp) on ASP.NET. When they give examples, it's written in the default language of Visual Basic (which is why ASP.NET pages will work without specifying a language).

Hopefully this gave you some direction.

-Shane

Shane -

Thanks for all your help on this. Security is indeed a large concern, but not enough of one to go the SSL route :)

Sessions do sound like a good solution, and I've been trying to seek out info on converting HTML to ASP. It does appear to be as simple as you're saying, and not too much more effort to retrieve the data in C#.

Thanks for all your help in this issue. It's much appreciated.

- Alex

Glad I could be somewhat of a use! Good luck with your project. If you need any help in ASP.NET, we have a forum devoted to just that subject. So feel free to post any of your problems and/or concerns there once you really start to get your hands dirty. The guys that help out there definitely know what they're doing.

And though a little late now, welcome to CodingForums!

-Shane