[Tallahassee-pm] An interesting problem.

[Tillman, James]

> The one big snare that I ran into, and I found this hard to 
> believe, was that ASP doesn't seem to have a native MD5 function.

Why does this surprise you?  ASP has practically nothing native. :-) Even
database access isn't native.
 
> http://users.bigpond.net.au/mrjolly/software_page.html and 
> the ASPMD5 1.0.1 is the class that I ended up using. And it 
> seems to be working corretly, (all the values I've tried 
> compute to the same hash as the internal PHP MD5 function, so 
> unless they coded in a typo on one of the transforms, it 
> should be good to go.

Looks like a good choice to me.
 
> I'm sure I must have seen a solution like this before, 
> because I came up with the actual code very quickly, and had 
> it up and running on both servers in about 2 hours from start 
> to finish (and yes I even documented), but for the life of 
> me, I can't recall where I've seen this done before.

My solution would be to use the token method, but to have the token be a
randomly generated ID, which gets stored in a (mysql|postgresql|other) sql
database, accessible from both the PHP and the ASP servers.  Then scripts on
both sides would check for the token to be in a cookie or require login if
the token is missing (the cookie domain would have to be set to cover all
servers in your domain for this to work.  Alternatively, using URL rewriting
would work)

The database would store the IDs of authenticated users (and the time of
authentication).  A periodic purge of the system would be necessary to
remove old records that had timed-out.

Let me know if this approach interests you and I'll explain more.

jpt