AJ, Maybe I'm misunderstanding the problem, but this seems like it may be a job for OAuth:
http://oauth.net/ Thanks, Bradley On 4/15/09, AJ ONeal <[email protected]> wrote: > *Short: * > A user which exists on one site must be able to use the API of another site > without logging in to that site. I think a token mechanism is the way to go > but I want input. > > The *problem* is that John is logged into JT, not CM, and he doesn't have an > account on CM. > > The *proposed solution* > > > 1. John submits his credentials to JT. > 2. John is validated. > 3. JT makes a request to CM using curl, sending a valid username and > password (and possibly the IP address will be checked). > 4. CM sends back a token (which CM will store in a database or file). > 5. JT then hands that token back to to the browser. > 6. The browser, receiving the token, makes a request to CM to login using > the token. > 7. CM checks the token's timestamp, checks the token, starts the session, > and deletes the token. > 8. John inputs some new data and submits it to CM via AJAX through the JT > interface. > > *Poll:* > Does this sound like a good solution or is there something more simple / > elegant which I haven't thought of? > * > More background* info in case I was too brief above: > I have a php site called Contact Manager which holds information for users > in different department > > I have another site on another server called Job Tracker which is used to > track support requests from those users. We plan to have other sites like > this which use the CM database directly through PHP or indirectly through > AJAX. > > John is logged in to JT and he can see user details from CM. > This is done by the php backend by joining the two databases. > > John also needs to be able to edit these details. > This will be done by an AJAX request using an API on CM. > > P.S. What do you call XSS when you're talking about proper XSS rather than > malicious XSS? > > AJ ONeal > -- http://bradley-holt.blogspot.com/
