On Tue, Jul 29, 2008 at 3:40 PM, shawn gorrell <[EMAIL PROTECTED]> wrote: > Crap Cam, you type faster than I do... I'd just posed the replay attack > problem.
Heh - Replay Attack FTW! Serious though - Ajas I think a common workflow would be this: 1) SSO generates a one time use token, crypts it, adds to URL, sends user to target URL with crypted token 2) Target app receives token, decrypts it, makes backend call to SSO server to discover user's identity, applies identity 3) SSO marks token as invalid. Note that the "backend call" could be a datasource shared between both apps, an HTTP call, webservice, remote CFC call, etc... Another important thing to note would be that any callbacks to the SSO server should also be made secure. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
