Had another thought about this...
Have someone register against the first site - have it create
a quick key value, and store it locally. Pass that via GET or POST
to one of YOUR sites. Have your server hit the first server
with this key.
The first server would authenticate the validity of the key, then
mark it as used. If you try to check the key again, it's bad. Have
this key on the first server only last a few seconds (10-20?) so as to
prevent
someone trying to hack against it.
Just another quick thought about your issue...
"Boget, Chris" wrote:
> I've been charged with trying to find out how something
> like this can be done if it is at all in fact possible. The info
> I'm hoping to get is what would be involved and where I
> can find information on it. I'm not asking for code or
> examples unless you really want to provide them. :P
>
> Anyways, what we need to be able to do is the following:
>
> * Have a user be able to authenticate on a *trusted* partner
> website that resides on a server external to our network.
>
> * Have that external website securely transmit information
> (preferrably not on the URL :p) with regards to the
> authentication information on that user; the auth info
> will be the same on both servers. This would allow the
> user streamlined access to the areas on our website that
> would otherwise require the user to log in without forcing
> them to do so.
>
> * The other aspect to the above that we also need to address is
> when a user signs up for the first time on the trusted partner's
> site, that signup information should be securely transmitted to
> us when/if the user attempts to access our site so we could set
> them up in the database and authenticate them by nature of the
> above.
>
> Is something like this possible? What would be involved? Is
> there something that is already built into Apache/PHP that
> would make it easier? Someone suggested XML database transfer,
> but I've never heard of XML being anything other than a markup
> language much less capable of storing data? It was also suggested
> that we use something like public key/private key but am not sure
> how that would work...
>
> We are using:
>
> Apache 1.3.12
> PHP 4.0.3pl1
> PHP4 Session based (not HTTP basic) authentication using mySql
> to store the ID/PW
>
> I realize the security implications of something like this and have
> brought them up myself. However, it's something that is being
> pushed and so I've got to look into it (and I don't even really know
> where to start) so please don't say it's stupid because I already know.
> :) Is something like this possible? What's involved? Where can I go
> to learn more?
>
> Thanks!
>
> Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
