|
|
Posted by Jerry Stuckle on 08/03/06 20:55
Taylor wrote:
> They are not on the same server. There is no shared internal method of
> communicating, so they can only interact via get/post, and cookies.
> The host application will authenticate the user, and then it needs to
> pass the username and something that proves they've been authenticated
> by the host app to my sub-app.
>
You have a problem then. Web server authentication (i.e. through
..htaccess, etc.) is on a per-site basis. Your browser will not send
authentication information from one server to another.
Cookies are the same way - the browser will not under normal conditions
pass a cookie meant for one host on to another. Either one would be a
severe security hole.
However, if the second server is a subdomain, you can use the domain
parameter of setcookie() to specify the cookie will be available to all
subdomains. See the PHP doc for setcookie() for more information.
However - warning. You should NOT rely on cookies for authentication.
It's too easy for someone to edit the cookie (since it is sent to their
machine) and authorize themselves - bypassing all of your security.
Perhaps another way (although I haven't tried) is to create a proxy on
the first server and have it authenticate then pass on the request to
the second one. The second server could then be set to completely block
requests coming from other than the first server.
Not easy, but more secure.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|