[nycphp-talk] Cross domain Logins
Hans Zaunere
hans at nyphp.org
Thu Nov 20 08:50:10 EST 2003
Mark Armendariz wrote:
> Anyone here ever create a cross-domain login system? I'm still waiting
> for details to see if the domains will have access to the same db or
> same server. I figure one way to do it would be to somehow transfer
> session info form one domain to the other, but it seems like there's
> plenty of security issues in doing so. I thought maybe passing an md5
> encrypted string with the username, password form one site to the next
> might work as well, but I'm still not too sure of the security issues,
> especially considering the issues pointed out a couple weeks back
> regarding auto-logins.
In addition to passing some type of key (for instance an md5), you can fingerprint the browser. If a shared DB is available, you could store the browser's request header and then compare it to what the browser requests on the second server (domain). This adds a bit of security.
I once had to do a cross-site login thing between a cold fusion server and a PHP server. They didn't share a DB, and I had very little control over the CF site. What I finally did was implement a call-ahead to the php site.
1) User logs into CF and is directed to a protected page.
2) Within this protected page is a <cfhttp> tag that makes a request to a private URL on the php server.
3) The php server records the unique key, and could store other info, like a browser fingerprint.
4) When the user clicks a link with the unique key to get to the PHP server, the PHP box is already aware that this person is coming.
While I'm still passing a unique key via a get, the call-ahead provides some added security, especially when the systems don't share a DB.
H
More information about the talk
mailing list