Re: [Phplib-users] Basic authentication
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Basic authentication
|
From: Kevin F. <fre...@ip...> - 2002-02-01 19:02:45
|
I would say that you use the IP address of the user coming from A to B and some secret known only to A and B to encrypt the data and append it to the URL. When you get the forwarded link from A the users "should" still be using the same IP address. You can then decode the user account info and added it if needed to B. Then proceeded with logging the users in with the passed information. The Idea could also be expanded to include a dynamic piece of information that is also used in the key and sent in plain text to detect any URL hacking. Kevin Fredrick Software Technician Walter E. Helmke Library Indiana University - Purdue University Fort Wayne 260-481-5445 http://www.lib.ipfw.edu/ >>> "Chris Johnson" <ch...@ch...> 02/01/02 01:48PM >>> 1) "combined server log" is just the style of server log being used on my Apache webserver. 2) My problem with the authetication is that I do not control the source server in any fashion. In other words, users will signon to server A owned and operated by another company with which my company has an agreement to provide services. They will click on a link to go to my server B. We want them to be able to do that without signing on again. We will register users coming from A to B in our user database on B, so we know who all valid users are. I just need a way to know it IS a valid user coming from A. Thus, I need to tell the programmer at company A how to specify the user to my server at B via the URL in such a fashion that it is secure and I can reliably know they are authenticated at A and who they are. I'm using HTTPS for all connections, so it's only the URL I'd really have to worry about being hacked. All other data should be encrypted, should it not? ..chris ----- Original Message ----- From: "Peter Kursawe" <su...@si...> To: <php...@li...> Sent: Friday, February 01, 2002 12:01 AM Subject: Re: [Phplib-users] Basic authentication Hello Chris, here some ideas on your problems: > 1) Get the user name in the combined web server log. (I use apache, and > have not had any luck with other methods.) This is lower priority. I do not understand the phrase "... in the combined server log" ? > "single signon" capability -- that is, they logged in at the other site, and > the URL needs to contain the information that they logged in with. As you > know, the standard URL form is something like: > > [protocol]://[username]:[password]@host.domain.name:[port]/document_path I never ever would send passwords in an URL - very good opportunity for hackers! My plan (not realized yet!) to provide a single-sign-on: On server A there is a user database. On another server B the user U calls a page first time. B recognizes, that U isn't logged in and redirects the URL to a log on page at A. The URL must contain information that this request comes from B. U logs on. A opens a session with phplib and redirects the URL back to B including the session-id. B uses a tool like XML/RPC to establish a connection to A and reading the user information required. Instead of XML/RPC you may force A to write a file with the necessary user information and B can do a simple fopen. Further actions depend on your demands: If you do not use session variables, all is perfect. Every page on B can check if the user is still logged in at A. Or you have a phplib at B also to check that. This is a raw outline. In fact you have to do some more customizing. E.g. the server A must not give access to the user-files mentioned from other servers than B ... Sounds complicated, I know. But its very secure (I hope so at least ;-)) Peter Kursawe www.learn4use.com _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users |
