A few things to try:
1. Use session variables that expire after a certain time. The remote
host, your partner, has to contact your host every X hours to get a new
session key and all communication is done for that period of time using
that key in the URL.
2. Use difficult to guess user
Have the user log in to/authenticate against the first server.
That server generates a key, based on combining the username and a private
key known to the authenticating server and your servers.
Pass that back to your servers in a URL - cookie wouldn't work, but the key
in the URL should be
Have the user log in to/authenticate against the first server.
That server generates a key, based on combining the username
and a private key known to the authenticating server and your
servers.
Pass that back to your servers in a URL - cookie wouldn't
work, but the key in the URL should
Infrastructure Technology Provider
-Original Message-
From: Michael Kimsal [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 23, 2001 12:32 PM
To: Boget, Chris
Cc: Php (E-mail)
Subject: Re: [PHP] "Authenticating" across sites/servers
Have the user log in to/authentica
Boget, Chris wrote:
Also, you can check the value of $HTTP_REFERER for the ip of
the trusted host, to further eliminate the potential.
How do you get the IP out of $HTTP_REFERER? As far as I know,
that only tells you the referring url, not the ip address.
This is correct. But you
Here is an idea I had, but will require that all the sites in question
maintain very accurate clock synchronization, but doesn't require any
database writes. It assumes that the passwords are stored using MySQL's
PASSWORD("") function.
$user_table="website.authorized_users";
$now=gmmktime();
"Boget, Chris" wrote:
One other thing that I forgot to include in my previous message as
a concern of mine and it relates to the above. If we did it that way,
someone who was listening to a port on the client's server, or who
came by later to use the same machine the client was using
7 matches
Mail list logo