> Have the user log in to/authenticate against the first server.
> That server generates a key, based on combining the username
> and a private key known to the authenticating server and your
> servers.
> Pass that back to your servers in a URL - cookie wouldn't
> work, but the key in the URL should be sufficiently garbled so
> as to not be decipherable easily.
> Have your server decipher the key based on the private key
> shared between the servers. You should then have the user
> name, which you can then use internally to your system however
> you need to. (double check that username IS valid, for starters).
One other thing that I forgot to include in my previous message as
a concern of mine and it relates to the above. If we did it that way,
someone who was listening to a port on the client's server, or who
came by later to use the same machine the client was using previously
to do this could get this somehow encrypted information and log in
as the previous user since we wouldn't require authentication because
said authentication would have already been done on the trusted
website. So essentially a 3rd party could concievably obtain this
information that was posted with the URL (which is why I didn't
want to pass this information via GET) to access our site and wreak
havoc. I definitely want to minimize this possibility.
> You might also want to search google for info on how
> microsoft's passport service works - but I think this is
> cookie based, and is limited in its functionality.
Ok, I'll check it out. Thanks!
Chris
