Have the user log in to/authenticate against the first server.
That server generates a key, based on combining the username and a private
key known to the authenticating server and your servers.
Pass that back to your servers in a URL - cookie wouldn't work, but the key
in the URL should be sufficiently garbled so as to not be decipherable
easily.
Have your server decipher the key based on the private key shared between
the servers.  You should then have the user name, which you can then use
internally to your system however you need to. (double check that username
IS valid, for starters).

You might also want to search google for info on how microsoft's passport
service works - but I think this is cookie based, and is limited in its
functionality.



"Boget, Chris" wrote:

> I've been charged with trying to find out how something
> like this can be done if it is at all in fact possible.  The info
> I'm hoping to get is what would be involved and where I
> can find information on it.  I'm not asking for code or
> examples unless you really want to provide them. :P
>
> Anyways, what we need to be able to do is the following:
>
> * Have a user be able to authenticate on a *trusted* partner
> website that resides on a server external to our network.
>
> * Have that external website securely transmit information
> (preferrably not on the URL :p) with regards to the
> authentication information on that user; the auth info
> will be the same on both servers.  This would allow the
> user streamlined access to the areas on our website that
> would otherwise require the user to log in without forcing
> them to do so.
>
> * The other aspect to the above that we also need to address is
> when a user signs up for the first time on the trusted partner's
> site, that signup information should be securely transmitted to
> us when/if the user attempts to access our site so we could set
> them up in the database and authenticate them by nature of the
> above.
>
> Is something like this possible?  What would be involved?  Is
> there something that is already built into Apache/PHP that
> would make it easier?  Someone suggested XML database transfer,
> but I've never heard of XML being anything other than a markup
> language much less capable of storing data?  It was also suggested
> that we use something like public key/private key but am not sure
> how that would work...
>
> We are using:
>
> Apache 1.3.12
> PHP 4.0.3pl1
> PHP4 Session based (not HTTP basic) authentication using mySql
> to store the ID/PW
>
> I realize the security implications of something like this and have
> brought them up myself.  However, it's something that is being
> pushed and so I've got to look into it (and I don't even really know
> where to start) so please don't say it's stupid because I already know.
> :)  Is something like this possible?  What's involved?  Where can I go
> to learn more?
>
> Thanks!
>
> Chris


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to