Re: [PHP] Re: [PHP-DB] Cross site authentication
My reason for using SSL was that the username/password combination wouldn't be transmitted in plaintext... that's all. If you're passing the creditials in plaintext to the Win2k machine though going to SSL for the auth on PHP/Linux wouldn't really make any sense I suppose. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 On Wed, 19 Sep 2001, Evan Nemerson wrote: SSL would be useless. It has no facilities for authentication, which is what we need here. Basically, SSL encrypts communications between two computers- it doesn't care which two and is therefore vulnerable to man-in-the-middle attacks. On Wednesday 19 September 2001 08:22, you wrote: Customers are authenticating through an IIS server against a database on Win2K. How do I securely pass this information to a separate PHP/apache/UNIX system? Since any parameters could be forged, it seems I'd need a cryptographic approach. Does anyone have experience with a cross-platform solution (ASP/IIS/Win2K and PHP/apache/Linux)? Perhaps I'm making this too simple; but what exactly is the problem? You have a DB on a Win2k box with user authentication information and some scripts in IIS that use that to handle user logins, right? When you toss them over to the PHP/Linux system do it via SSL, encode the username/password in some GET or POST data, and let the PHP scripts authenticate them against the same Win2k database, then give them a session variable with their user credientials. This is of course assuming that you can get the PHP on Linux and your DB on Wkn2k talking, which might currently be prevented by a networking issue. If you can't fix the network look into mechanisms for replicating the data from the Win2k machine to the Linux machine on a nightly/hourly basis. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: [PHP-DB] Cross site authentication
A combonation of IP restriction and basic authentication over SSL, while not ideal, would probably be better than most alternatives I can think of. Josh Hoover KnowledgeStorm, Inc. [EMAIL PROTECTED] Searching for a new IT solution for your company? Need to improve your product marketing? Visit KnowledgeStorm at www.knowledgestorm.com to learn how we can simplify the process for you. KnowledgeStorm - Your IT Search Starts Here SSL avoids the problem of someone sniffing the plain text data. We still have the problem: what data do we send? Anyone can forge credentials and send them over SSL. How does B know it came from A? I'm thinking of some key exchange method, but portability between the Microsoft and UNIX worlds makes this even trickier. -- Bill Lubanovic Mad Scheme Limited
Re: [PHP] Re: [PHP-DB] Cross site authentication
If you need the data to be secure, you could probably just encrypt it with mcrypt, if you want to make sure it wasn't forged, you want to have A sign the data, then have B check it. If I were you, I would look at GNU Privacy Guard. You can just use some backticks and you're set. If you have any questions e-mail me... this sounds interesting. On Wednesday 19 September 2001 07:36, you wrote: Rick Gardner wrote: Would a solution like xml-rpc work? On Wednesday, September 19, 2001, at 09:43 AM, Bill Lubanovic wrote: Customers are authenticating through an IIS server against a database on Win2K. How do I securely pass this information to a separate PHP/apache/UNIX system? Since any parameters could be forged, it seems I'd need a cryptographic approach. Does anyone have experience with a cross-platform solution (ASP/IIS/Win2K and PHP/apache/Linux)? ... XML-RPC or SOAP structure the data better than GET or POST, but they don't address the security issues. We can't send names, passwords, or ids, no matter how we wrap them. How can platform A tell platform B that it's authenticated someone? How can B trust A? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: [PHP-DB] Cross site authentication
SSL would be useless. It has no facilities for authentication, which is what we need here. Basically, SSL encrypts communications between two computers- it doesn't care which two and is therefore vulnerable to man-in-the-middle attacks. On Wednesday 19 September 2001 08:22, you wrote: Customers are authenticating through an IIS server against a database on Win2K. How do I securely pass this information to a separate PHP/apache/UNIX system? Since any parameters could be forged, it seems I'd need a cryptographic approach. Does anyone have experience with a cross-platform solution (ASP/IIS/Win2K and PHP/apache/Linux)? Perhaps I'm making this too simple; but what exactly is the problem? You have a DB on a Win2k box with user authentication information and some scripts in IIS that use that to handle user logins, right? When you toss them over to the PHP/Linux system do it via SSL, encode the username/password in some GET or POST data, and let the PHP scripts authenticate them against the same Win2k database, then give them a session variable with their user credientials. This is of course assuming that you can get the PHP on Linux and your DB on Wkn2k talking, which might currently be prevented by a networking issue. If you can't fix the network look into mechanisms for replicating the data from the Win2k machine to the Linux machine on a nightly/hourly basis. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
