Robert Cummings wrote:
On Wed, 2007-03-14 at 14:50 +0000, Matthew Vickery wrote:
The situation is as follows:
I wish to protect the entire Website http://www.example.com from
direct URL access. i.e. if someone enters http://www.example.com into
their browser they get a message stating that they are not authorised
to access the site. The only way to access http://www.example.com
should be to log into a second site http://www.intranet.com and follow
a link from within to http://www.example.com.
The problem:
I initially thought I should use the predefined PHP variable
$_SERVER['HTTP_REFERER'], but the PHP website explains that this
"cannot really be trusted"
(http://uk2.php.net/manual/en/reserved.variables.php).
Next I thought about HTTP authentication. If I password protect the
the Website using .htaccess and .htpasswd as follows:
Code:
AuthName "Login to access the Website"
AuthType Basic
AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd
Require user username
Then my link within http://www.intranet.com could simply be:
Code:
<a href="http://username:[EMAIL PROTECTED]">Link to example.com</a>
However this doesn't seem secure. The username and password are
visible to anyone who views the source of the page with the link.
Also as these are not encrypted is it not possible for them to be
intercepted?
I could of course write my own authentication code on
http://www.example.com and pass a variable via a GET or POST from
http://www.intranet.com, which would cause a login and a cookie to be
set there. But this is basically the same as above and still seems
insecure!
Is there a better/standard way to do this kind of thing?
So you want a user who has authenticated on domain A to be able to
transparently transfer to domain B? Do they share a common database? Do
you have scripting access to both systems?
Cheers,
Rob.
Hi Rob,
Thanks for your reply.
Yes, I want a user who has authenticated on domain A to be able to
transparently transfer to domain B.
No, domains A and B don't share a common database.
I only have scripting access to domain B.
Basically I am creating a mini-site on my Web server (domain B) that a
company needs to access securely via their Intranet (domain A),
hopefully without the need to setup an extensive user database and login
system on my Web server that will be additional to their Intranet login...
I hope this makes thins clearer?
Cheers, Matthew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
