*Short: * A user which exists on one site must be able to use the API of another site without logging in to that site. I think a token mechanism is the way to go but I want input.
The *problem* is that John is logged into JT, not CM, and he doesn't have an account on CM. The *proposed solution* 1. John submits his credentials to JT. 2. John is validated. 3. JT makes a request to CM using curl, sending a valid username and password (and possibly the IP address will be checked). 4. CM sends back a token (which CM will store in a database or file). 5. JT then hands that token back to to the browser. 6. The browser, receiving the token, makes a request to CM to login using the token. 7. CM checks the token's timestamp, checks the token, starts the session, and deletes the token. 8. John inputs some new data and submits it to CM via AJAX through the JT interface. *Poll:* Does this sound like a good solution or is there something more simple / elegant which I haven't thought of? * More background* info in case I was too brief above: I have a php site called Contact Manager which holds information for users in different department I have another site on another server called Job Tracker which is used to track support requests from those users. We plan to have other sites like this which use the CM database directly through PHP or indirectly through AJAX. John is logged in to JT and he can see user details from CM. This is done by the php backend by joining the two databases. John also needs to be able to edit these details. This will be done by an AJAX request using an API on CM. P.S. What do you call XSS when you're talking about proper XSS rather than malicious XSS? AJ ONeal