|
|
Posted by Raj Shekhar on 04/11/05 16:18
Adam Hubscher <webmaster@offbeat-zero.net> writes:
> Problem: I would like to possibly utilize a login system (created on
> the remote server), that would then check their username and password
> against the CMS database located there, then redirect with that
> information (encrypted of course), to the local site where the
> information gets stored in a session. Then when they go to create a
> new account, it stores the extra verfied information into the database.
>
> However, the issue at hand here is, I'm not sure how secure it would
> be if I were to say, create a secure login form, verify the
> data... and then create another pseudo form that directs the person to
> the local-based site using hidden post variables (this is my original
> thought on the subject).
>
> Is there another way I could go about doing this (ie, a way that I
> could identify a user that is almost assuredly never going to change)
> or is there a more secure way? Or, am I on the right track?
Maybe instead of passing the password, you can create a unique
sessionid for the user. The userid+the sessionid can then be stored
in a database and you pass the sessionid ahead instead of passing the
password.
On the other end, you can check if the userid and the sessionid that
you have received has been authenticated or not. (This assumes that
the database in which you kept the sessionid is accessible to both
the sides). You will also need to store the timestamp of when the
sessionid was created and discard old sessionids.
--
Raj Shekhar Y! : Operations Engineer
MySQL DBA, programmer and slacker Y!IM : lunatech3007
home : http://rajshekhar.net blog : http://rajshekhar.net/blog/
Navigation:
[Reply to this message]
|