|
|
Posted by Taylor on 08/04/06 04:15
Hmmm, I think we're all on different pages, but I think Colin came
closest to what I'm getting at. I think I found a solution:
This sub-site (like I've said, it can share no special links with the
other site like VPN, database, common server, etc...) is designed to be
invoked from many different "host" sites, as a sort of "service" built
into other website. The sub-site is hosted on an entirely different
platform, and must be invoked by get/post, unless there is some other
clever idea.
My solution is to have a secret key for each "host" site that uses my
sub-site service. When the host site authenticates a user, the host
site invokes the sub-site with a query string of an md5 hash of the
concatenation of the secret key and the user's username, along with an
unencrypted version of the username (so I know who's authenticated).
The sub site then checks to make sure the md5 hash matches what is
expected.
What do you think?
Colin McKinnon wrote:
> Taylor wrote:
>
> > They are not on the same server. There is no shared internal method of
> > communicating, so they can only interact via get/post, and cookies.
> > The host application will authenticate the user, and then it needs to
> > pass the username and something that proves they've been authenticated
> > by the host app to my sub-app.
>
> The best solution depends on how the user moves from site to the other,
> whether HTTPS is involved and whether they have same FQDN. But lets take
> the simplest case - where there is none of that:
>
> on server A:
>
> function getToken($username, $encryption_key)
> {
> $token=base64_encode(encrypt($username . "|" . time()));
> return($token);
> }
>
> and add the token into the URL you are linking with or as a hidden field in
> any forms being submitted to the other server. The at the other end:
>
> function check_auth($token, $encryption_key)
> {
> $token=base64_decode($token);
> $token=decrypt($token);
> list($username, $timestamp)=explode('|',$token);
> if (abs(time()-$timestamp)>60) { // more than 60 seconds apart
> return(false);
> } else {
> return($username);
> }
> }
>
> Obviously this is not going to prevent replay attacks - really you should be
> using a challenge based mechanism.
>
> The most efficient solution is to push the encryption and validation down to
> the transport layer using a VPN though.
>
> C.
Navigation:
[Reply to this message]
|