|
|
Posted by Colin McKinnon on 08/03/06 21:18
Taylor wrote:
> They are not on the same server. There is no shared internal method of
> communicating, so they can only interact via get/post, and cookies.
> The host application will authenticate the user, and then it needs to
> pass the username and something that proves they've been authenticated
> by the host app to my sub-app.
The best solution depends on how the user moves from site to the other,
whether HTTPS is involved and whether they have same FQDN. But lets take
the simplest case - where there is none of that:
on server A:
function getToken($username, $encryption_key)
{
$token=base64_encode(encrypt($username . "|" . time()));
return($token);
}
and add the token into the URL you are linking with or as a hidden field in
any forms being submitted to the other server. The at the other end:
function check_auth($token, $encryption_key)
{
$token=base64_decode($token);
$token=decrypt($token);
list($username, $timestamp)=explode('|',$token);
if (abs(time()-$timestamp)>60) { // more than 60 seconds apart
return(false);
} else {
return($username);
}
}
Obviously this is not going to prevent replay attacks - really you should be
using a challenge based mechanism.
The most efficient solution is to push the encryption and validation down to
the transport layer using a VPN though.
C.
Navigation:
[Reply to this message]
|