Re: [PHP] Authenticating across sites/servers
A few things to try: 1. Use session variables that expire after a certain time. The remote host, your partner, has to contact your host every X hours to get a new session key and all communication is done for that period of time using that key in the URL. 2. Use difficult to guess user identifiers. ie. 32 char alpha/numeric word as in phplib. 3. Identify the remote partner with a similar key. 4. when someone registers on the remote site, have their site call your site with the user details. 5. Don't bother with registering users but every time a "new" user comes to your site, contact your partner site to verify who they are, and if valid create an account for the new user. The easiest way is to have the remote host register new users on your site when they register on their site, then they pass a partner identifier and user identifier to your site to access your services. Donncha. Kyle Jerviss wrote: Here is an idea I had, but will require that all the sites in question maintain very accurate clock synchronization, but doesn't require any "Boget, Chris" wrote: I've been charged with trying to find out how something like this can be done if it is at all in fact possible. The info I'm hoping to get is what would be involved and where I can find information on it. I'm not asking for code or examples unless you really want to provide them. :P Anyways, what we need to be able to do is the following: -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authenticating across sites/servers
Have the user log in to/authenticate against the first server. That server generates a key, based on combining the username and a private key known to the authenticating server and your servers. Pass that back to your servers in a URL - cookie wouldn't work, but the key in the URL should be sufficiently garbled so as to not be decipherable easily. Have your server decipher the key based on the private key shared between the servers. You should then have the user name, which you can then use internally to your system however you need to. (double check that username IS valid, for starters). You might also want to search google for info on how microsoft's passport service works - but I think this is cookie based, and is limited in its functionality. "Boget, Chris" wrote: I've been charged with trying to find out how something like this can be done if it is at all in fact possible. The info I'm hoping to get is what would be involved and where I can find information on it. I'm not asking for code or examples unless you really want to provide them. :P Anyways, what we need to be able to do is the following: * Have a user be able to authenticate on a *trusted* partner website that resides on a server external to our network. * Have that external website securely transmit information (preferrably not on the URL :p) with regards to the authentication information on that user; the auth info will be the same on both servers. This would allow the user streamlined access to the areas on our website that would otherwise require the user to log in without forcing them to do so. * The other aspect to the above that we also need to address is when a user signs up for the first time on the trusted partner's site, that signup information should be securely transmitted to us when/if the user attempts to access our site so we could set them up in the database and authenticate them by nature of the above. Is something like this possible? What would be involved? Is there something that is already built into Apache/PHP that would make it easier? Someone suggested XML database transfer, but I've never heard of XML being anything other than a markup language much less capable of storing data? It was also suggested that we use something like public key/private key but am not sure how that would work... We are using: Apache 1.3.12 PHP 4.0.3pl1 PHP4 Session based (not HTTP basic) authentication using mySql to store the ID/PW I realize the security implications of something like this and have brought them up myself. However, it's something that is being pushed and so I've got to look into it (and I don't even really know where to start) so please don't say it's stupid because I already know. :) Is something like this possible? What's involved? Where can I go to learn more? Thanks! Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Authenticating across sites/servers
Have the user log in to/authenticate against the first server. That server generates a key, based on combining the username and a private key known to the authenticating server and your servers. Pass that back to your servers in a URL - cookie wouldn't work, but the key in the URL should be sufficiently garbled so as to not be decipherable easily. Have your server decipher the key based on the private key shared between the servers. You should then have the user name, which you can then use internally to your system however you need to. (double check that username IS valid, for starters). One other thing that I forgot to include in my previous message as a concern of mine and it relates to the above. If we did it that way, someone who was listening to a port on the client's server, or who came by later to use the same machine the client was using previously to do this could get this somehow encrypted information and log in as the previous user since we wouldn't require authentication because said authentication would have already been done on the trusted website. So essentially a 3rd party could concievably obtain this information that was posted with the URL (which is why I didn't want to pass this information via GET) to access our site and wreak havoc. I definitely want to minimize this possibility. You might also want to search google for info on how microsoft's passport service works - but I think this is cookie based, and is limited in its functionality. Ok, I'll check it out. Thanks! Chris
RE: [PHP] Authenticating across sites/servers
Also, you can check the value of $HTTP_REFERER for the ip of the trusted host, to further eliminate the potential. Best regards, Andrew Andrew Hill Director Technology Evangelism OpenLink Software http://www.openlinksw.com XML E-Business Infrastructure Technology Provider -Original Message- From: Michael Kimsal [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 23, 2001 12:32 PM To: Boget, Chris Cc: Php (E-mail) Subject: Re: [PHP] "Authenticating" across sites/servers Have the user log in to/authenticate against the first server. That server generates a key, based on combining the username and a private key known to the authenticating server and your servers. Pass that back to your servers in a URL - cookie wouldn't work, but the key in the URL should be sufficiently garbled so as to not be decipherable easily. Have your server decipher the key based on the private key shared between the servers. You should then have the user name, which you can then use internally to your system however you need to. (double check that username IS valid, for starters). You might also want to search google for info on how microsoft's passport service works - but I think this is cookie based, and is limited in its functionality. "Boget, Chris" wrote: I've been charged with trying to find out how something like this can be done if it is at all in fact possible. The info I'm hoping to get is what would be involved and where I can find information on it. I'm not asking for code or examples unless you really want to provide them. :P Anyways, what we need to be able to do is the following: * Have a user be able to authenticate on a *trusted* partner website that resides on a server external to our network. * Have that external website securely transmit information (preferrably not on the URL :p) with regards to the authentication information on that user; the auth info will be the same on both servers. This would allow the user streamlined access to the areas on our website that would otherwise require the user to log in without forcing them to do so. * The other aspect to the above that we also need to address is when a user signs up for the first time on the trusted partner's site, that signup information should be securely transmitted to us when/if the user attempts to access our site so we could set them up in the database and authenticate them by nature of the above. Is something like this possible? What would be involved? Is there something that is already built into Apache/PHP that would make it easier? Someone suggested XML database transfer, but I've never heard of XML being anything other than a markup language much less capable of storing data? It was also suggested that we use something like public key/private key but am not sure how that would work... We are using: Apache 1.3.12 PHP 4.0.3pl1 PHP4 Session based (not HTTP basic) authentication using mySql to store the ID/PW I realize the security implications of something like this and have brought them up myself. However, it's something that is being pushed and so I've got to look into it (and I don't even really know where to start) so please don't say it's stupid because I already know. :) Is something like this possible? What's involved? Where can I go to learn more? Thanks! Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authenticating across sites/servers
Boget, Chris wrote: Also, you can check the value of $HTTP_REFERER for the ip of the trusted host, to further eliminate the potential. How do you get the IP out of $HTTP_REFERER? As far as I know, that only tells you the referring url, not the ip address. This is correct. But you could extract the hostname and do a dns-lookup, if you wish. But the hostname should suffice, shouldn't it? And couldn't that value be messed with? Sure it can. It is sended by the browser, so the client (or proxy-servers) can maniulate or delete it. Anyway, it's from the wrong side of the trust boundary. Wagner -- One maniac alone can do what 20 together cannot -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authenticating across sites/servers
Here is an idea I had, but will require that all the sites in question maintain very accurate clock synchronization, but doesn't require any database writes. It assumes that the passwords are stored using MySQL's PASSWORD("") function. $user_table="website.authorized_users"; $now=gmmktime(); $interval=300; $rnow=$now-($now%$interval); $persist=6; function auth_hash($user,$pass){ global $user_table,$rnow; $q='SELECT PASSWORD("'.$pass.'") as p1, password as p2 FROM '. $user_table.' WHERE username="'.$user.'"'; $r=mysql_query($q); $row=mysql_fetch_array($r); if($row[p1]==$row[p2]){ $retval=mhash(MHASH_MD5,$user.$row[p2].$rnow); }else{ $retval=FALSE; } return $retval; } function auth_logon($key,$user){ global $user_table,$rnow,$persist,$interval; $q='SELECT password FROM '.$user_table.' WHERE username="'.$user.'"'; $r=mysql_query($q); $row=mysql_fetch_array($r); for($i=0;$i=$persist;$i++){ $str=$user.$row[password].($rnow-($interval*$i)); $hash=mhash(MHASH_MD5,$str); if($key==$hash){ return TRUE; } } return FALSE; } "Boget, Chris" wrote: I've been charged with trying to find out how something like this can be done if it is at all in fact possible. The info I'm hoping to get is what would be involved and where I can find information on it. I'm not asking for code or examples unless you really want to provide them. :P Anyways, what we need to be able to do is the following: * Have a user be able to authenticate on a *trusted* partner website that resides on a server external to our network. * Have that external website securely transmit information (preferrably not on the URL :p) with regards to the authentication information on that user; the auth info will be the same on both servers. This would allow the user streamlined access to the areas on our website that would otherwise require the user to log in without forcing them to do so. * The other aspect to the above that we also need to address is when a user signs up for the first time on the trusted partner's site, that signup information should be securely transmitted to us when/if the user attempts to access our site so we could set them up in the database and authenticate them by nature of the above. Is something like this possible? What would be involved? Is there something that is already built into Apache/PHP that would make it easier? Someone suggested XML database transfer, but I've never heard of XML being anything other than a markup language much less capable of storing data? It was also suggested that we use something like public key/private key but am not sure how that would work... We are using: Apache 1.3.12 PHP 4.0.3pl1 PHP4 Session based (not HTTP basic) authentication using mySql to store the ID/PW I realize the security implications of something like this and have brought them up myself. However, it's something that is being pushed and so I've got to look into it (and I don't even really know where to start) so please don't say it's stupid because I already know. :) Is something like this possible? What's involved? Where can I go to learn more? Thanks! Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authenticating across sites/servers
"Boget, Chris" wrote: One other thing that I forgot to include in my previous message as a concern of mine and it relates to the above. If we did it that way, someone who was listening to a port on the client's server, or who came by later to use the same machine the client was using previously to do this could get this somehow encrypted information and log in as the previous user since we wouldn't require authentication because said authentication would have already been done on the trusted website. So essentially a 3rd party could concievably obtain this information that was posted with the URL (which is why I didn't want to pass this information via GET) to access our site and wreak havoc. I definitely want to minimize this possibility. True, this is a possibility. Do a post, not a get. Might eliminate a small possibilty. A lot of this coordination (or other gyrations you could come up with) require some cooperation from this 'outside' server. How 'outside' is it? If you need to change a key or algorithm, how much can they accomodate? Rhetorical questions mostly - you'll have to take all this into account. Not sure I see the whole benefit of a scheme like this. I mean, I sort of do, but it's a lot of hassle, and introduces extra security issues at the expense of an extremely small amount of user inconvenience (which they need to put up with at every other site on the web anyway - you're not at a significant usability disadvantage). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]