Also, you can check the value of $HTTP_REFERER for the ip of the trusted
host, to further eliminate the potential.
Best regards,
Andrew
----------------------------------------------------
Andrew Hill
Director Technology Evangelism
OpenLink Software
http://www.openlinksw.com
XML & E-Business Infrastructure Technology Provider
> -----Original Message-----
> From: Michael Kimsal [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 23, 2001 12:32 PM
> To: Boget, Chris
> Cc: Php (E-mail)
> Subject: Re: [PHP] "Authenticating" across sites/servers
>
>
> Have the user log in to/authenticate against the first server.
> That server generates a key, based on combining the username and a private
> key known to the authenticating server and your servers.
> Pass that back to your servers in a URL - cookie wouldn't work,
> but the key
> in the URL should be sufficiently garbled so as to not be decipherable
> easily.
> Have your server decipher the key based on the private key shared between
> the servers. You should then have the user name, which you can then use
> internally to your system however you need to. (double check that username
> IS valid, for starters).
>
> You might also want to search google for info on how microsoft's passport
> service works - but I think this is cookie based, and is limited in its
> functionality.
>
>
>
> "Boget, Chris" wrote:
>
> > I've been charged with trying to find out how something
> > like this can be done if it is at all in fact possible. The info
> > I'm hoping to get is what would be involved and where I
> > can find information on it. I'm not asking for code or
> > examples unless you really want to provide them. :P
> >
> > Anyways, what we need to be able to do is the following:
> >
> > * Have a user be able to authenticate on a *trusted* partner
> > website that resides on a server external to our network.
> >
> > * Have that external website securely transmit information
> > (preferrably not on the URL :p) with regards to the
> > authentication information on that user; the auth info
> > will be the same on both servers. This would allow the
> > user streamlined access to the areas on our website that
> > would otherwise require the user to log in without forcing
> > them to do so.
> >
> > * The other aspect to the above that we also need to address is
> > when a user signs up for the first time on the trusted partner's
> > site, that signup information should be securely transmitted to
> > us when/if the user attempts to access our site so we could set
> > them up in the database and authenticate them by nature of the
> > above.
> >
> > Is something like this possible? What would be involved? Is
> > there something that is already built into Apache/PHP that
> > would make it easier? Someone suggested XML database transfer,
> > but I've never heard of XML being anything other than a markup
> > language much less capable of storing data? It was also suggested
> > that we use something like public key/private key but am not sure
> > how that would work...
> >
> > We are using:
> >
> > Apache 1.3.12
> > PHP 4.0.3pl1
> > PHP4 Session based (not HTTP basic) authentication using mySql
> > to store the ID/PW
> >
> > I realize the security implications of something like this and have
> > brought them up myself. However, it's something that is being
> > pushed and so I've got to look into it (and I don't even really know
> > where to start) so please don't say it's stupid because I already know.
> > :) Is something like this possible? What's involved? Where can I go
> > to learn more?
> >
> > Thanks!
> >
> > Chris
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
